[Senate Report 111-368]
[From the U.S. Government Publishing Office]


                                                       Calendar No. 698
  
111th Congress 
 2d Session                      SENATE                          Report
                                                                111-368
_______________________________________________________________________


         PROTECTING CYBERSPACE AS A NATIONAL ASSET ACT OF 2010

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 3480

 TO AMEND THE HOMELAND SECURITY ACT OF 2002 AND OTHER LAWS TO ENHANCE 
      THE SECURITY AND RESILIENCY OF THE CYBER AND COMMUNICATIONS 
                  INFRASTRUCTURE OF THE UNITED STATES






               December 15, 2010.--Ordered to be printed
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          GEORGE V. VOINOVICH, Ohio
CLAIRE McCASKILL, Missouri           JOHN ENSIGN, Nevada
JON TESTER, Montana                  LINDSEY GRAHAM, South Carolina
CHRISTOPHER A. COONS, Delaware       MARK KIRK, Illinois

                  Michael L. Alexander, Staff Director
                     Kevin J. Landy, Chief Counsel
            Deborah P. Parkinson, Professional Staff Member
              Adam R. Sedgewick, Professional Staff Member
                       Jeffrey E. Greene, Counsel
                   Jeanette Hanna-Ruiz, DHS Detailee
     Brandon L. Milhorn, Minority Staff Director and Chief Counsel
   Robert L. Strayer, Minority Director for Homeland Security Affairs
                Asha A. Mathew, Minority Senior Counsel
                    John K. Grant, Minority Counsel
          Devin F. O'Brien, Minority Professional Staff Member
          Denise E. Zheng, Minority Professional Staff Member
                  Trina Driessnack Tyrer, Chief Clerk






                                                       Calendar No. 698
111th Congress
                                 SENATE
                                                                 Report
 2d Session                                                     111-368

======================================================================



 
         PROTECTING CYBERSPACE AS A NATIONAL ASSET ACT OF 2010

                                _______
                                

               December 15, 2010.--Ordered to be printed

                                _______
                                

Mr. Lieberman, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 3480]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 3480) to amend the 
Homeland Security Act of 2002 and other laws to enhance the 
security and resiliency of the cyber and communications 
infrastructure of the United States, having considered the 
same, reports favorably thereon with an amendment and 
recommends that the bill, as amended, do pass.

                                CONTENTS

                              ----------                              
                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History.............................................15
 IV. Section-by-Section Analysis.....................................16
  V. Evaluation of Regulatory Impact.................................29
 VI. Congressional Budget Office Cost Estimate.......................29
VII. Changes in Existing Law Made by the Bill, as Reported...........35

                         I. Purpose and Summary

    S. 3480, the Protecting Cyberspace as a National Asset Act 
of 2010, seeks to modernize and strengthen the federal 
government's ability to safeguard the nation from cyber 
attacks. It would do so by creating a National Center for 
Cybersecurity and Communications (NCCC) within the Department 
of Homeland Security (DHS) that would be responsible for 
protecting both federal computer networks and critical 
infrastructure owned by the private sector against cyber 
attacks. The bill would also bring greater unity and efficiency 
to federal cybersecurity efforts by establishing a White House 
Office of Cyberspace Policy to coordinate federal work in the 
area and to advise the President on cybersecurity issues.

              II. Background and Need for the Legislation


               THREATS TO INFORMATION SYSTEMS AND ASSETS

    The history of the Internet begins with a Department of 
Defense project that sought to maintain command and control 
over its missiles and bombers after a nuclear attack--a system 
that would allow communication to continue working even if one 
node was attacked. In 1969, the project created ARPANET, a 
computer link between UCLA and Stanford which allowed academics 
and members of the research community to send packets of 
digital information to each other over computer networks. 
Ironically, this system which was conceived of to ensure 
communication during a national security crisis was itself 
never designed to be secure.
    Over the next 20 years, it remained a system used primarily 
by researchers and scientists in academia and government--a 
community where trust was not an issue and openness and easy 
access were seen as necessary for innovation. In the 1990s, the 
Internet was made available to a variety of commercial and 
governmental uses and the personal computer became more 
powerful and affordable. Today, the Internet permeates our 
society--it is an essential element for communication and for 
operating our financial systems, transportation systems, 
shipping, electrical power grid, oil and gas pipelines, nuclear 
plants, water systems, manufacturing, and the military. As of 
this year, over 1.9 billion people use the Internet, and more 
come online every day.\1\
---------------------------------------------------------------------------
    \1\The World In 2009: Facts and Figures, International Trade Union, 
http://www.itu.int/ITU-D/ict/material/Telecom09_flyer.pdf.
---------------------------------------------------------------------------
    Unfortunately, increased security has not fully accompanied 
this exponential growth. The combination of increasingly 
valuable information stored and accessible online and the 
growing use of the Internet to control components of our most 
critical infrastructure, coupled with the explosion of entry 
points and potential victims, has made the Internet an 
attractive avenue for new breeds of criminals, spies and 
warriors to exploit. They look at the Internet and see a 
gateway to everything from our personal bank accounts to 
industrial and government secrets to the very infrastructure--
the electric, utilities and financial sectors--our economy 
needs to function.

                         ECONOMIC CONSEQUENCES

    Security experts estimate that $1 trillion a year is lost 
to cybercrime.\2\ The computer security company McAfee surveyed 
executives of companies involved in critical infrastructure and 
reported that 54 percent said their companies had been the 
victims of denial of service attacks as well as network 
infiltration from organized crime groups, terrorists, and other 
nation-states. The downtime to recover from these attacks can 
cost as much as $6 million to $8 million a day.\3\
---------------------------------------------------------------------------
    \2\McAfee Report, ``In the Crossfire: Critical Infrastructure in 
the Age of Cyber-War,'' January 2010.
    \3\Ibid.
---------------------------------------------------------------------------
    In December 2009, Google and 30 other companies in the 
information technology, finance, technology, media and chemical 
sectors--most of them global Fortune 500 companies--were the 
targets of highly sophisticated attacks allegedly emanating 
from China in what appears to have been a massive attempt at 
industrial espionage and theft of intellectual property.\4\
---------------------------------------------------------------------------
    \4\The Official Google Blog, ``A New Approach to China,'' Jan. 12, 
2010, http://googleblog.blogspot.com/2010/01/new-approach-to-
china.html.
---------------------------------------------------------------------------
    In 2007, TJX Corporation--the parent company of T.J. Maxx 
and Marshall's department stores--experienced a breach in its 
wireless networks that left about 45 million credit and debit 
card numbers exposed to theft and cost the company about $25 
million to resolve.\5\ In early 2009, Heartland Payment Systems 
learned they had suffered a breach that allowed criminal access 
to in-transit payment card data, requiring them to spend $32 
million in the first half of 2009 to resolve. Later, Albert 
Gonzales was indicted for both the TJX and Heartland attacks, 
among others.\6\
---------------------------------------------------------------------------
    \5\The Boston Globe, TJX Cost for Breach at $25 Million So Far, May 
16, 2007.
    \6\See Statement of Robert Carr, Chairman and CEO, Heartland 
Payment Systems, for hearing entitled, ``Cyber Attacks: Protecting 
Industry Against Growing Threats'' U.S. Senate Committee on Homeland 
Security and Governmental Affairs, September 14, 2009 at 2-3.
---------------------------------------------------------------------------
    It is not just large corporations that are vulnerable. 
Cyber criminals have stolen millions of dollars from small- to 
medium-sized businesses and local governments. In one incident, 
for example, unsuspecting financial officers received a 
seemingly innocuous e-mail that contained either a virus or an 
Internet link that installed a tiny piece of malicious computer 
code designed to steal passwords. The crooks would then 
patiently steal amounts less than the $10,000 that otherwise 
would have triggered a bank report under federal anti-money 
laundering requirements. The malicious code was so well written 
that the traffic seemed to be coming from an authorized 
computer and the bank could not see anything amiss. As a result 
of this scam, a school district near Pittsburgh lost $700,000; 
an electronics testing firm in Baton Rouge had $100,000 
disappear from its bank account, and a Texas manufacturing firm 
found itself short $1.2 million.\7\
---------------------------------------------------------------------------
    \7\The Washington Post, ``European Gangs Target Small U.S. Firms,'' 
Aug. 25, 2009.
---------------------------------------------------------------------------
    The Committee learned, during publicly held hearings, that 
the profits from some of these Internet fraud schemes are used 
to funnel money to terrorist organizations, which then use the 
funds to finance attacks against the United States and its 
allies.\8\
---------------------------------------------------------------------------
    \8\See Statement of Tom Kellerman, Vice President of Security 
Awareness, Core Security Technologies, for hearing entitled, ``Cyber 
Security: Developing a National Strategy'' U.S. Senate Committee on 
Homeland Security and Governmental Affairs, April 28th, 2009 at 2.
---------------------------------------------------------------------------

                           NATIONAL SECURITY

    Beyond the commercial and industrial threats posed by this 
new breed of cyber criminal, the United States also must be 
prepared for the very real possibility of ``cyber-war,'' 
``cyber espionage,'' or ``cyber-terrorism.'' We have known 
about these threats for years, and recently received 
confirmation that other countries will not shy away from 
opening a new front in cyberspace.
    Indeed, the concept of ``cyber war'' has required us to 
rethink the very notion of war itself, because threats to U.S. 
national security reach beyond military targets to critical 
infrastructure and the economy. In 2009, the Wall Street 
Journal reported that hackers have penetrated the U.S. 
electrical grid, mapped out the infrastructure, and left behind 
software programs that could be used to disrupt systems 
operating the grid.\9\ That same year, CIA analyst Tom Donahue, 
speaking before a power industry conference, warned that ``we 
have information from multiple regions outside the United 
States, of cyber-intrusion into utilities followed by extortion 
demands.''\10\
---------------------------------------------------------------------------
    \9\Wall Street Journal, ``Electricity Grid in U.S. Penetrated By 
Spies,'' April 8, 2009, http:// 
online.wsj.com/article/SB123914805204099085.html
    \10\Reuters, ``Has Power Grid Been Hacked? U.S. Won't Say,'' April 
8, 2009, http://www.reuters.com/article/idUSN0850385920090408.
---------------------------------------------------------------------------
    The possibility of attacks on civilian or non-military 
infrastructure as an adjunct to an armed conflict is real. The 
Russian invasion of Georgia in August 2008, for example, was 
accompanied by cyber attacks that took down Georgian government 
websites and denied Georgian civilians access to news and other 
online computer services.\11\
---------------------------------------------------------------------------
    \11\The New York Times, ``U.S. Steps up Efforts on Digital 
Defenses,'' April 27, 2009, 
http://www.nytimes.com/2009/04/28/us/28cyber.html.
---------------------------------------------------------------------------
    And the threat of a major and intentional cyber disruption 
can arise entirely outside the context of conventional warfare. 
In 2000, an Australian engineer angry at his former employer 
and a city government that refused to give him a job used his 
computer expertise to order local sewer systems to dump 200,000 
gallons of raw sewage into local parks and rivers, killing 
marine life and turning a local creek black with an unbearable 
stench.\12\
---------------------------------------------------------------------------
    \12\National Institute of Standards and Technology, Computer 
Security Resource Center, Malicious Control System Cyber Security 
Attack Case Study--Maroochy Water Services, Australia, http://
csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-
Case-Study_report.pdf.
---------------------------------------------------------------------------
    These kinds of attacks and intrusions are becoming 
pervasive, reported the Center for Strategic and International 
Studies (CSIS) Commission on Cybersecurity for the 44th 
Presidency. According to the Commission's 2008 report, the 
Departments of Defense, State, Homeland Security and Commerce, 
as well as NASA and the National Defense University, have all 
suffered ``major intrusions by unknown foreign entities''--and 
Department of Defense computers are being probed hundreds of 
thousands of times a day.\13\
---------------------------------------------------------------------------
    \13\Center for Strategic and International Studies Commission on 
Cybersecurity for the 44th Presidency, ``Securing Cyberspace for the 
44th Presidency'', at http://csis.org/files/media/csis/pubs/
081208_securingcyberspace_44.pdf.
---------------------------------------------------------------------------
    Some of the more troubling security breaches that have been 
reported in recent years include:
     The Commerce Department was forced to take down 
for months the computer systems of the Bureau of Industry and 
Security, whose mission is to ``advance national security, 
foreign policy, and economic objectives by ensuring an 
effective export control and treaty compliance system and 
promoting continued U.S. strategic technology leadership.''\14\
---------------------------------------------------------------------------
    \14\Center for Strategic and International Studies Commission on 
Cybersecurity for the 44th Presidency, ``Threats Posed to the 
Internet'', at http://csis.org/files/media/csis/pubs/
081028_threats_working_group.pdf.
---------------------------------------------------------------------------
     NASA's designs for new rocket launchers appear to 
have been compromised.\15\
---------------------------------------------------------------------------
    \15\Ibid.
---------------------------------------------------------------------------
     The State Department lost ``terabytes'' of 
information.\16\
---------------------------------------------------------------------------
    \16\Ibid.
---------------------------------------------------------------------------
     The unclassified e-mail of the Secretary of 
Defense was hacked.\17\
---------------------------------------------------------------------------
    \17\Ibid.
---------------------------------------------------------------------------
     A foreign intelligence agency inserted malicious 
code onto U.S. Central Command's classified military computer 
networks.\18\
---------------------------------------------------------------------------
    \18\Lynn, W.. (2010). Defending a New Domain. Foreign Affairs, 
89(5), 97-108. Retrieved December 10, 2010, from ABI/INFORM Global. 
(Document ID: 2129061161).
---------------------------------------------------------------------------
     Stuxnet, a computer worm that was designed 
specifically to infiltrate industrial control systems and had 
the potential overwrite commands to sabotage industrial 
facilities, was found on computer systems around the world.
    Besides exposing national security secrets that could give 
our opponents advance warning of our tactics, strategies and 
capabilities, this kind of espionage can lead to a loss of 
valuable military technologies and intellectual property that 
can cost the United States billions of dollars to develop and 
result in even more billions lost in economic benefits from 
innovation. ``We are not arming our competitors in cyberspace; 
we are providing them with the ideas and designs to arm 
themselves and achieve parity,'' the CSIS report said.\19\
---------------------------------------------------------------------------
    \19\Center for Strategic and International Studies Commission on 
Cybersecurity for the 44th Presidency, ``Securing Cyberspace for the 
44th Presidency'', at 13.
---------------------------------------------------------------------------
    Countries like China are actively building up cyber 
capabilities as part of their national security strategy. 
According to a Nov. 7, 2007 report by the bipartisan, 
congressionally-chartered U.S.-China Economic and Security 
Review Commission: ``Chinese espionage in the United States, 
now comprises the single greatest threat to the U.S. . . . 
Chinese military strategists have embraced disruptive warfare 
techniques, including the use of cyber attacks, and 
incorporated them in China's military doctrine. Such attacks, 
if carried out strategically on a large scale, could have 
catastrophic effects on the target country's critical 
infrastructure.''\20\
---------------------------------------------------------------------------
    \20\U.S.-China Economic and Security Review Commission, 2007 Report 
to Congress, November 2007, p. 7, www.uscc.gov/annual_report/2007/
07_annual_report.php.
---------------------------------------------------------------------------

                WHITE HOUSE OFFICE OF CYBERSPACE POLICY

    The CSIS cybersecurity report found that: ``Our government 
is still organized for the Industrial Age, for assembly lines 
and mass production. It is a giant, hierarchal conglomerate 
where the cost of obtaining information and making decisions is 
high when this requires moving across organizational 
boundaries.'' This kind of organization does not work in the 
age of the Internet and has helped create the kinds of Internet 
vulnerabilities we are experiencing now, the report said.
    CSIS recommended the creation of an office within the White 
House, headed by a Senate-confirmed Director who would oversee 
the broad contours of a new cybersecurity strategy, advise the 
President, and work with other executive branch agencies to 
implement the strategy and resolve any disputes.
    The Obama Administration, which conducted its own 
``Cyberspace Policy Review'' at the beginning of 2009, came to 
a similar conclusion:

         It's now clear this cyber threat is one of the most 
        serious economic and national security challenges we 
        face as a nation. It's also clear that we're not as 
        prepared as we should be, as a government or as a 
        country. . . . No single official oversees 
        cybersecurity policy across the federal government, and 
        no single agency has the responsibility or authority to 
        match the scope and scale of the challenge. Indeed, 
        when it comes to cybersecurity, federal agencies have 
        overlapping missions and don't coordinate and 
        communicate nearly as well as they should--with each 
        other or with the private sector.\21\
---------------------------------------------------------------------------
    \21\http://www.whitehouse.gov/assets/documents/
Cyberspace_Policy_Review_final.pdf.

    The President established a small Cybersecurity Directorate 
within the National Security Staff and tasked it with 
coordinating cyber security activities across the federal 
government. The head of the Directorate reports to both the 
National Security Council and National Economic Council 
leadership.
    The Committee agrees with the CSIS report and the President 
that White House leadership is needed to ensure a coordinated 
federal cybersecurity effort. The Committee believes, however, 
that establishing leadership within the NSC structure does not 
go far enough. S. 3480 instead would establish an Office of 
Cyberspace Policy within the Executive Office of the President 
to oversee all aspects of cyberspace policy, including 
military, law enforcement, intelligence, and diplomatic. A 
Senate-confirmed Director, accountable to the American people 
and to Congress, would lead the office.
    The Director of Cyberspace Policy would perform all the 
duties the President envisioned for the current Cybersecurity 
Directorate, with some important additions. The new office 
would also review budget requests relating to the national 
cybersecurity strategy and settle inter-agency disputes 
relating to the strategy and matters of policy.

                       DHS ROLE AND ORGANIZATION

    While the new Office of Cyberspace Policy would help lead 
and harmonize the Federal government's efforts, the Committee 
believes that more needs to be done on an operational level to 
protect government systems and critical infrastructure. To 
accomplish this, S. 3480 would create a new operational entity 
within DHS: the National Center for Cybersecurity and 
Communications (NCCC). The NCCC would sharpen our nation's 
focus on the security of civilian government systems and 
private sector networks, especially those that are most 
critical to our nation's welfare. The NCCC would partner with 
the private sector, in an effort to better understand and 
address the risks our nation faces from cyber threats.
    DHS already has the responsibility to protect the nation's 
federal civilian networks and to coordinate federal efforts to 
secure the nation's most critical infrastructure, including its 
cyber infrastructure. S. 3480 codifies these existing 
responsibilities and provides additional resources and tools 
necessary to ensure that DHS will succeed in this crucial 
mission.
    Title II of the Homeland Security Act of 2002, which 
created DHS, directs the Department to lead critical 
infrastructure protection efforts. Critical infrastructure is 
defined in the Act as ``systems and assets, whether physical or 
virtual, so vital to the United States that the incapacity or 
destruction of such systems and assets would have a 
debilitating effect on security, national economic security, 
national public health or safety, or any combination of these 
matters.''\22\ The Internet is itself critical infrastructure, 
and is increasingly essential to the reliable operation of many 
other critical infrastructure sectors. It is one of the main 
drivers of our economy, and is increasingly a key component of 
our national defense systems.
---------------------------------------------------------------------------
    \22\P.L. 107-296 (citing P.L. 107-56).
---------------------------------------------------------------------------
    A year after the Homeland Security Act was passed, 
President Bush released the National Strategy to Secure 
Cyberspace, which stated that DHS would be the ``focal point 
for the federal government to manage cybersecurity.''\23\ Later 
in 2003, the White House issued Homeland Security Presidential 
Directive 7 (HSPD-7) to implement the critical infrastructure 
responsibilities laid out in the Homeland Security Act. HSPD-7 
reinforced the leadership role of DHS on cybersecurity, 
stating, ``the Secretary of Homeland Security will continue to 
maintain an organization to serve as a focal point for the 
security of cyberspace.''\24\
---------------------------------------------------------------------------
    \23\``The National Strategy to Secure Cyberspace'' February 2003, 
pg. 22.
    \24\``Homeland Security Presidential Directive--7, Critical 
Infrastructure Identification, Prioritization, and Protection.'' 
December 17, 2003.
---------------------------------------------------------------------------
    In 2008, President Bush issued Homeland Security 
Presidential Directive 23 (HSPD-23) to implement the 
Comprehensive National Cybersecurity Initiative, which mainly 
focused on the protection of government networks. In HSPD-23, 
the President affirmed that DHS serves as the lead federal 
agency for the protection of all unclassified federal networks 
and for coordinating private sector cybersecurity efforts.
    Despite considerable progress, the Committee believes that 
the Department needs additional authorities to be successful in 
these missions. This includes additional authorities that 
previously belonged to the Office of Management and Budget 
relating to federal information security and the authority to 
set risk-based security performance requirements for our 
nation's most critical cyber infrastructure.
    The NCCC would be led by a Senate-confirmed Director, who 
would regularly advise the President regarding the exercise of 
authorities relating to the security of federal networks. The 
NCCC would include the United States Computer Emergency 
Response Team (US-CERT), and it would lead federal operational 
efforts to protect public and private sector networks. The NCCC 
would detect, prevent, analyze, and warn of cyber threats to 
these networks.
    Specifically, the NCCC would produce and share warning, 
analysis, and threat information with the private sector, other 
federal agencies, state and local governments, and 
international partners. It would also collaborate with the 
private sector to develop and promote best practices to help 
improve cybersecurity across the nation. The Center would 
provide technical assistance to private sector entities and 
state and local governments, as requested and permitted by 
resources, to help implement best practices, assess 
vulnerabilities, or otherwise improve the security of cyber 
networks. Sensitive information shared by the private sector 
with the NCCC, such as notifications of vulnerabilities or 
security breaches, would be protected from public disclosure. 
The bill encourages the NCCC to ensure that private sector 
owners and operators are able to obtain security clearances to 
access threat analysis and other information necessary to 
protect critical systems and assets.
    The Committee believes that by working in partnership and 
voluntarily sharing information with the private sector, the 
NCCC would have a better understanding of the threats and 
vulnerabilities our nation faces in cyberspace and would gain 
true ``situational awareness'' of the nation's overall 
cybersecurity posture.
    This situational awareness would be developed with strong 
privacy and civil liberty protections incorporated from the 
beginning. The bill would require the Director of the NCCC to 
develop specific guidelines to protect the privacy and civil 
liberties of U.S. Persons, which would be done in conjunction 
with the privacy officer of the NCCC. The Fair Information 
Practices developed by DHS should serve as the starting point 
for these guidelines. The bill creates no new authority to 
conduct electronic surveillance or to compel the disclosure of 
private information.

                        CRITICAL INFRASTRUCTURE

    Today the Internet impacts our lives in ways that most of 
us never see or even think about. It is no longer simply a 
mechanism for communication. Indeed, it plays an increasingly 
essential role in the things that make our very way of life 
possible, from the electricity that powers our homes, to the 
water we drink, to the gasoline we put in our cars. However, 
while the use of the Internet has brought increased efficiency 
to our industry and infrastructure, it has also brought with it 
increased risks. A system that is controlled over the Internet 
by its rightful owners is also a system that can be penetrated 
and potentially ``owned'' by a criminal, a spy, an enemy 
nation, or a terrorist.
    In 2007, the Department of Homeland Security demonstrated 
how vulnerable the country's most critical infrastructure is to 
a cyber attack. Many industrial processes are now automated and 
controlled by Supervisory Control and Data Acquisition systems 
(or SCADA systems). SCADA systems help to generate electricity, 
control the amount of water flowing through a dam, and operate 
nuclear power plants. In recent years, companies have increased 
efficiency and reduced cost by controlling SCADA systems over 
the Internet. For example, an electric facility no longer needs 
to send a technician to operate a remote substation in person 
when it can be done through a keyboard located in their 
headquarters for a fraction of the cost. However, this 
convenience comes with a security price. In an experiment named 
``Aurora,'' DHS demonstrated that an electrical generator 
connected to the Internet could be accessed remotely and given 
instructions that would literally cause it to self-destruct. A 
skilled enemy exploiting such a vulnerability on a mass scale 
could plunge our cities into darkness for weeks or months. 
Perhaps even more disturbing, this same risk is present in many 
other critical infrastructure sectors, such as nuclear power 
plants and water treatment facilities.
    The emergence of the ``Stuxnet'' worm in the summer of 2010 
demonstrated that a cyber attack on SCADA systems is no longer 
just a theoretical concern. According to numerous experts, 
Stuxnet was designed to target critical infrastructure control 
systems. While other worms have impacted these systems, Stuxnet 
is the first that actually seeks them out. Moreover, forensic 
analyses conducted by private sector experts have concluded 
that this worm is designed not just to steal information, but 
to take control of the mechanical processes of physical 
machinery. Thus, the machinery can be made to do whatever 
Stuxnet's authors want it to do, irrespective of the commands 
being given by the operators. Stuxnet has been found on systems 
around the world, including systems in the United States.
    The federal government must ensure that SCADA systems 
controlling our most critical infrastructure are not just 
minimally protected, but that they all maintain a high level of 
security consistent with the risk that a disruption could cause 
catastrophic damage. To achieve the security we need, S. 3480 
would establish a collaborative, cooperative partnership 
between our most critical infrastructure providers and our 
government.
    The bill would direct the NCCC to work with the private 
sector to develop risk-based security performance requirements 
to strengthen the cybersecurity of the nation's most critical 
infrastructure, including vital components of the electric 
grid, telecommunications networks, and control systems in other 
critical infrastructure that, if disrupted, would result in a 
national or regional catastrophe. Owners and operators of 
covered critical infrastructure would choose which security 
measures to implement to meet these risk-based security 
performance requirements. The NCCC would review and approve the 
measures selected, but could not approve or disapprove the 
proposed security plan based on the presence or absence of a 
particular security measure.
    Covered critical infrastructure would also have to report 
significant breaches to the NCCC to ensure the federal 
government has insight into the cyber risks that affect these 
crucial systems. The NCCC, in turn, would have to share 
information, including threat analyses, with owners and 
operators regarding risks to their networks. The Act would also 
provide protection against punitive and some non-economic 
damages to owners and operators of covered critical 
infrastructure who submit to DHS evaluations, successfully 
demonstrate compliance with their approved security plan during 
the evaluation, and can prove actual compliance at the time of 
any breach. This protection would only apply to harm directly 
caused by the breach, and would not affect any other types of 
damages sought as a result of it. Additionally, these 
provisions would not protect an owner or operator from any 
intervening act, omission, or negligence, even if the harm 
caused could also be attributed in some way to the breach.
    As noted, only those systems or assets whose disruption 
would cause a national or regional catastrophe would be subject 
to mandatory risk-based security performance requirements. DHS 
currently interprets ``national or regional catastrophe'' to 
include a combination of the following factors: greater than 
2,500 prompt fatalities; greater than $25 billion in first-year 
economic consequences; mass evacuations with a prolonged 
absence of greater than one month; or severe degradation of the 
nation's security capabilities. The Committee expects that the 
Department would continue to apply a similar standard in 
implementing S. 3480.
    Thus, the bill would establish a process that narrowly 
defines the systems and assets that the Secretary of Homeland 
Security could designate as covered critical infrastructure. 
Additionally, owners and operators who believe that a system or 
asset was erroneously designated as covered critical 
infrastructure would have the opportunity to appeal that 
designation. The NCCC would be required to coordinate with 
other federal agencies to avoid duplicative regulatory 
requirements and to maximize the efficient use of government 
resources.

                         EMERGENCY AUTHORITIES

    In February 2010, the Bipartisan Policy Center sponsored an 
exercise called ``Cyber ShockWave,'' which simulated a massive 
cyber attack on the United States.\25\ During the exercise, 
former Deputy Attorney General Jamie Gorelick, who played the 
role of the Attorney General, expressed concern that the 
President's authorities during a cyber attack are unclear. In 
particular, she noted on several occasions during the exercise 
that there is no defined authority or settled law controlling 
what the President can direct the private sector to do, even if 
a threat to the private sector could cause mass casualties or 
catastrophic economic loss.\26\
---------------------------------------------------------------------------
    \25\Bipartisan Policy Center is a non-profit organization 
established to ``develop and promote solutions that can attract public 
support and political momentum in order to achieve real progress.'' See 
http://www.bipartisanpolicy.org/about.
    \26\http://transcripts.cnn.com/TRANSCRIPTS/1002/20/se.01.html.
---------------------------------------------------------------------------
    The Obama Administration echoed this concern in its 2009 
``Cyberspace Policy Review,'' where it noted the continuing 
ambiguity over ``what authorities are available for the 
government to protect privately owned critical 
infrastructure.''\27\
---------------------------------------------------------------------------
    \27\White House Cyberspace Policy Review at http://
www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf, 
pg. 3.
---------------------------------------------------------------------------
    In testimony before the Committee, DHS Deputy 
Undersecretary Philip Reitinger asserted that the federal 
government believes it may have the authority to direct private 
sector response to a cyber emergency under Section 706 of the 
Telecommunications Act of 1934 and other unspecified laws.\28\ 
The Committee understands that Section 706 gives the President 
the authority to take over wire communications in the United 
States and, if the President so chooses, shut a network 
down.\29\ But it is not clear that the President could order a 
lesser action, such as the blocking of a particular malicious 
signature or directing a company outside of the communications 
sector, such as an electricity generation facility, to take 
action to protect its cyber networks. It is this gap that S. 
3480 is meant to fill.
---------------------------------------------------------------------------
    \28\See Statement of Philip R. Reitinger, Deputy Under Secretary, 
National Protection and Programs Directorate, U.S. Department of 
Homeland Security, for hearing entitled, ``Protecting Cyberspace as a 
National Asset: Comprehensive Legislation for the 21st Century'' U.S. 
Senate Committee on Homeland Security and Governmental Affairs, June 
15, 2010 at 8.
    \29\47 U.S.C.Sec. 606.
---------------------------------------------------------------------------
    The bill would establish clear authority for the President, 
in the event of an actual or imminent attack on covered 
critical infrastructure, to direct certain limited emergency 
measures to protect the American people. It would allow the 
President to take such action quickly, without any debate over 
what authorities the government actually has or the need to 
resort to the drastic measure of taking over an entire 
communications network. Moreover, the bill would require 
notification to Congress on the threat and proposed response 
prior to any emergency declaration, unless the nature of the 
attack required that the notice be provided as soon as possible 
after a declaration.
    S. 3480 would do this by creating a process through which 
the President could authorize emergency measures, limited in 
both scope and duration, to protect the nation's most critical 
infrastructure if a cyber vulnerability was being exploited or 
was about to be exploited. The bill would require the President 
to notify Congress of the threat, why existing security 
practices are inadequate to mitigate the threat, and what 
emergency measures are necessary to protect the American 
public. Any emergency measures imposed must be the least 
disruptive necessary to respond to the threat, and would expire 
after 30 days unless the President orders an extension. 
Congress would have to approve any extension of the emergency 
authorities beyond 120 days.
    In determining whether an emergency measure is the ``least 
disruptive means'' possible, the bill requires the President to 
consider not just the impact to the affected system, but also 
the broader impact the measure would have on the overall 
national information infrastructure. The bill expressly 
precludes the President from ``taking over'' any covered 
critical infrastructure, and it does not authorize any new 
surveillance authorities. The President must also ensure that 
the privacy and civil liberties of the American people are 
protected while emergency measures are in place.

                              FISMA REFORM

    In the mid-1990's, Congress was concerned that previously 
isolated, mission critical, federal information systems were 
becoming increasingly interconnected to an ever-expanding 
Internet. In 2002, Congress passed the Federal Information 
Security Management Act (FISMA)\30\ to protect sensitive 
government information and information systems from 
unauthorized access or destruction by employees, outside 
hackers, terrorists, or even nation-states. The legislation, at 
its core, established a risk-based framework whereby the 
National Institute of Standards and Technology (NIST) developed 
minimum standards of security protection for agencies based on 
the criticality of the information and the information system 
operated by the agency. Agencies were then responsible for 
implementing the standards developed by NIST to ensure adequate 
security of their systems and information. The Office of 
Management and Budget (OMB) coordinated and managed the 
implementation of FISMA government-wide, requiring agencies to 
certify and accredit major information systems every 3 years. 
Inspectors General (IG) then evaluate whether agencies 
appropriately conducted certifications and accreditations, 
thereby determining whether agencies adequately managed the 
risks to their systems. FISMA also established an information 
security incident response center to help agencies analyze 
threats to their system.
---------------------------------------------------------------------------
    \30\P.L. 107-347.
---------------------------------------------------------------------------
    The Committee believes that FISMA established a foundation 
for the government to ensure risk-based and cost-effective 
security but was not implemented in a manner that effectively 
helped agencies to secure their systems. The Act must be 
strengthened and streamlined, both legislatively and through 
more effective Executive Branch implementation. Title III of S. 
3480 reflects lessons learned over the past eight years of 
FISMA implementation, input from leading public and private 
sector cybersecurity experts, numerous public hearings and 
closed-door classified briefings, and Committee investigations.
    The Committee attributes a large part of FISMA's 
implementation failures to the limited budget, staff, and 
technical capability of OMB. Although OMB has talented and 
skilled employees, the Office of Information and Regulatory 
Affairs and the Office of Electronic Government and Information 
Technology, the two OMB offices charged with implementing the 
law, do not have the resources to manage all of the priorities 
surrounding information policy, of which information security 
is only a subset. In practice, OMB has effectively relied on 
agencies to self-police their own decision making and security.
    Similarly, while the threat landscape is constantly 
evolving, the process by which NIST develops information 
security standards can take years. Agencies testified before 
the Subcommittee on Federal Financial Management, Government 
Information, Federal Services, and International Security that 
these standards, and NIST guidance in general, do not provide 
enough operational information on how to best align security 
controls to the threat landscape.
    Without that information, agencies have been left to make 
independent decisions on how to best secure their systems from 
all manner of threats. But cybersecurity is typically not a 
primary mission for many agencies, and most do not have 
personnel with the security clearances needed to fully 
understand the evolving threat. As a result, many agencies are 
left with inadequate protection.
    Further, there are no commonly accepted government-wide 
standards or guidance on how to effectively evaluate agency 
information security programs to guide IG reviews. Instead, OMB 
implementation guidance on FISMA is interpreted differently 
from agency to agency, and agencies often rely on private 
sector contractors to execute the evaluation instead of the IG. 
Often agencies overlook key elements of their information 
infrastructure, including mainframes and messaging services. 
Additionally, IGs often lack access to classified threat 
information to evaluate whether agencies are appropriately 
managing their risks. In short, FISMA has become little more 
than a paperwork exercise, rather than the dynamic and 
effective security program it was meant to be.\31\
---------------------------------------------------------------------------
    \31\More Security, Less Waste: What Makes Sense for our Federal 
Cyber Defense. Senate Subcommittee on Federal Financial Management, 
Government Information, Federal Services, and International Security, 
October 2009 and Agencies in Peril: Are We Doing Enough To Protect 
Federal IT and Secure Sensitive Information? Senate Subcommittee on 
Federal Financial Management, Government Information, Federal Services, 
and International Security, March 2008.
---------------------------------------------------------------------------
    S. 3480 continues the risk-management framework laid out in 
2002, but addresses shortfalls by amending the law in several 
key areas. Most important, the bill would transfer oversight of 
cybersecurity within civilian agencies from OMB to the newly 
established NCCC, which would have significantly more staff, 
technical capabilities, and resources to both prevent cyber 
attacks and assist agencies if such attacks do occur. Further, 
the bill would ensure that agency Chief Information Security 
Officers (CISO) have access to classified threat information to 
make the necessary risk-based decisions to defend their 
networks. The bill also requires agencies to test their 
security programs through an operational evaluation. These 
operational evaluations would simulate hackers trying to 
infiltrate, modify, steal, or destroy agencies' sensitive 
information and critical systems and would be conducted by 
teams of individuals who work for either the agency or the 
NCCC. Lastly, the bill would establish an interagency Federal 
Information Security Taskforce, which would allow the Executive 
Branch sufficient flexibility to work within the law's 
framework to handle new and emerging threats.
    These changes included in the legislation should improve 
security while decreasing the cost of FISMA compliance across 
the government.

                          FEDERAL PROCUREMENT

    Section 253 of the bill requires the DHS Secretary, in 
collaboration with other federal agencies and the private 
sector, to develop, update, and implement a supply chain risk 
management strategy to ensure the security of the 
communications and information technology products and services 
purchased by the federal government. It then directs the 
Federal Acquisition Regulatory Council (FAR Council) to use its 
existing authority over federal government procurements to 
implement the strategy, in much the same way as efforts already 
under way at the Department of Defense and DHS as part of 
Initiative 11 of the Comprehensive National Cybersecurity 
Initiative (CNCI).
    Homeland Security Presidential Directive-23 explained the 
need for supply chain risk management for government 
information technology procurements:

          Globalization of the commercial information and 
        communications technology marketplace provides 
        increased opportunities for those intent on harming the 
        United States by penetrating the supply chain to gain 
        unauthorized access to data, alter data, or interrupt 
        communications. Risks stemming from both the domestic 
        and globalized supply chain must be managed in a 
        strategic and comprehensive way over the entire 
        lifecycle of products, systems and services. Managing 
        this risk will require a greater awareness of the 
        threats, vulnerabilities, and consequences associated 
        with acquisition decisions; the development and 
        employment of tools and resources to technically and 
        operationally mitigate risk across the lifecycle of 
        products (from design through retirement); the 
        development of new acquisition policies and practices 
        that reflect the complex global marketplace; and 
        partnership with industry to develop and adopt supply 
        chain and risk management standards and best 
        practices.''\32\
---------------------------------------------------------------------------
    \32\The Comprehensive National Cybersecurity Initiative. http://
www.whitehouse.gov/cyber security/comprehensive-national-cybersecurity-
initiative.

    The Committee agrees with this assessment.
    Section 253 would create a flexible and comprehensive 
approach, in partnership with industry, to confront these risks 
and to ensure that there is greater security built into 
critical federal networks and systems. Developing a single, 
unified, approach to this problem will be less burdensome for 
industry than myriad agency policies developed ad hoc. In fact, 
the FAR Council is currently considering three cases that 
propose cybersecurity related changes to the FAR.\33\
---------------------------------------------------------------------------
    \33\There are three cybersecurity cases currently pending before 
the FAR Council--FAR Case 2009-032, Sharing Cyber Threat Information; 
FAR Case 2009-030, Safeguarding Unclassified Information; FAR Case 
2008-019, Authentic IT Products.
---------------------------------------------------------------------------
    The Committee believes this section will result in a 
prioritization of security practices based on the sensitivity 
of the systems, avoiding a prescriptive ``one-size-fits all'' 
solution. Moreover, the provision recognizes that better 
security often comes from the private sector, and requires the 
strategy ``to the maximum extent practicable, promote the 
ability of federal agencies to procure authentic commercial off 
the shelf information and communications technology products 
and services from a diverse pool of suppliers.'' This is 
further echoed in the requirement in subsection (d) that the 
strategy ``be consistent with the preferences for the 
acquisition of commercial items under section 2377 of title 10, 
United States Code, and section 314B of the Federal Property 
and Administrative Services Act of 1949 (41 U.S.C. 264b).''
    The Committee believes that increasing the security of IT 
products and services sold to the federal government will help 
promote increased security in the private sector. On June 15, 
2010, the Committee heard testimony from witnesses representing 
electric and telecommunications companies arguing that Section 
253 will help their sectors improve security because of the 
effect of the government's purchasing power throughout the 
market. Sara Santarelli, Chief Network Security Officer at 
Verizon testified, ``We would like to see the government 
definitely drive [security controls] into . . . equipment 
providers so that as we take that equipment and build networks 
and applications, that equipment [incorporates those] security 
requirements.''

                 ENHANCING THE CYBERSECURITY WORKFORCE

    One of the Federal government's biggest challenges in 
providing cybersecurity leadership is finding the qualified 
people necessary to do the job. The need for cybersecurity 
experts is growing rapidly in both the public and private 
sector. The government must be competitive with the private 
sector and other institutions if it is to attract the talent it 
will need over the coming decades. According to a 2009 report 
by the Partnership for Public Service, ``[the] federal 
government will be unable to combat [cyber] threats without a 
more coordinated, sustained effort to increase cybersecurity 
expertise in the federal workforce.''\34\ The report cites 
fragmented leadership and a lack of consistent guidance to 
hiring managers as key culprits in the government's inability 
to recruit and retain highly skilled cyber experts.
---------------------------------------------------------------------------
    \34\Partnership for Public Service, ``Cyber In-security: 
Strengthening the Federal Cybersecurity Workforce.'' July 2009 at 1. 
http://www.ourpublicservice.org/OPS/publications/viewcontent 
details.php?id=135.
---------------------------------------------------------------------------
    The Federal government must have a strategic, long-term 
plan to get federal agencies the staff they need to perform 
their cyberspace mission. S. 3480 would require the Office of 
Personnel Management (OPM) to assess the state of readiness of 
the federal workforce and to identify areas of improvement or 
gaps that need to be addressed.
    OPM's existing occupation classifications do not accurately 
reflect the cyber-related positions currently within the 
government or those needed in the future. The Committee has 
learned that program managers seeking to hire individuals with 
a certain cyber skill set find that they are unable to 
advertise for the position or specific qualifications they need 
and instead must adopt the job description to fit the current 
classifications. Thus, S. 3480 would direct OPM to develop 
comprehensive occupation classifications not only for the 
positions in existence for work being done today, but also to 
assist agencies in developing career paths for employees so we 
may retain them in federal government service. This career path 
would include training and development opportunities.
    The Committee believes that the federal government must 
develop a pipeline of capable students in the fields of 
science, technology, engineering, and mathematics to provide 
the workforce it will need in the future. Unfortunately, the 
number of degrees awarded in computer science and other 
technical fields is declining while our need for professionals 
with that expertise is growing. To begin to address this need, 
S. 3480 would direct the Department of Education working with 
state and local governments and other entities, to develop 
curriculum standards, guidelines, and recommended courses to 
address cyber safety, cybersecurity, and cyber ethics for 
students in kindergarten through grade twelve, as well as 
undergraduate, graduate, vocational, and technical 
institutions.
    In addition, S. 3480 would create a National Cyber 
Challenge to help identify potential candidates with badly 
needed, highly specialized skills. Such challenges have already 
been used by government agencies, academic institutions, and 
private sector companies with considerable success. These 
challenges test participants' abilities to exploit software and 
hardware weaknesses, crack encrypted codes, and defend against 
cyber attacks. Some of the participants who won these 
challenges were high-school students who attended schools with 
no computer science program and who otherwise might not have 
readily come to a recruiter's attention. The national challenge 
would greatly assist in recruiting individuals with world-class 
skills to help keep our nation's critical infrastructure and 
government agencies secure.

                        III. Legislative History

    On June 10, 2010, Senators Lieberman, Collins and Carper 
introduced S. 3480, which was referred to the Senate Committee 
on Homeland Security and Governmental Affairs.
    The Committee held a hearing on June 15, 2010, titled: 
``Protecting Cyberspace as a National Asset: Comprehensive 
Legislation for the 21st Century.'' The Committee received 
testimony from Philip R. Reitinger, Deputy Under Secretary, 
National Protection and Programs Directorate, U.S. Department 
of Homeland Security; Frances Fragos Townsend, Chairwoman of 
the Board, Intelligence and National Security Alliance; Alan 
Paller, Director of Research, SANS Institute; Steven T. 
Naumann, Vice President, Wholesale Market Development, Exelon 
Corporation; and Sara C. Santarelli, Chief Network Security 
Officer, Verizon Communications Inc.
    The Committee considered S. 3480 on June 24, 2010. The 
Committee adopted by voice vote a substitute amendment, which 
made both substantive and technical edits, offered by Senators 
Lieberman, Collins and Carper. The substitute amendment 
clarified the federal government's responsibility to protect 
privacy, civil liberties, and proprietary information 
throughout the bill. It also added identity management and 
authentication as an area of responsibility of the Director of 
the White House Office of Cyberspace Policy, and transferred to 
that Office the responsibility for the communications-related 
national security and emergency preparedness functions 
currently residing with the White House Office of Science and 
Technology Policy.
    The substitute amended Section 249, which establishes the 
``National Cyber Emergency'' authority, in three ways. First, 
it required Congressional approval for the President to extend 
the application of emergency measures beyond 120 days. Second, 
in order to ensure that owners and operators of critical 
infrastructure do not have a disincentive to propose 
alternative security measures during an emergency, the 
amendment provides liability protections equivalent to those 
associated with directed measures if the Director of the NCCC 
affirmatively determines that the measures are at least as 
effective as those mandated by the government. Third, it makes 
clear that a declaration of a National Cyber Emergency does not 
give the government authority to take certain actions, 
including compelling disclosure of information not otherwise 
authorized by law, conducting surveillance, and taking over the 
operations of privately owned critical infrastructure networks.
    The substitute also clarified the definition of covered 
critical infrastructure by adding language to make more 
explicit the factors to be considered in the designation of 
such critical systems. Lastly, the term ``cyber vulnerability'' 
was changed to ``cyber risk'' to better reflect language used 
in the information technology industry and avoid possible 
confusion.
    The Committee ordered the bill favorably reported, as 
amended, by voice vote. Members present for the votes on both 
the substitute amendment and the bill were Senators Lieberman, 
Levin, Akaka, Carper, Pryor, Kaufman, Collins, Coburn, and 
McCain.

                    IV. Section-by-Section Analysis


Section 1. Short Title

    The short title of the bill is the ``Protecting Cyberspace 
as a National Asset Act of 2010.''

Section 2. Table of Contents

    Section 2 provides the table of contents for this Act.

Section 3. Definitions

    Section 3 defines the following terms: appropriate 
congressional committee, critical infrastructure, cyberspace, 
director, federal agency, federal information infrastructure, 
incident, information infrastructure, information security, 
information technology, intelligence community, key resources, 
National Center for Cybersecurity and Communications, national 
information infrastructure, national security system, national 
strategy, office, resiliency, risk, and risk-based security.

                  TITLE I. OFFICE OF CYBERSPACE POLICY


Section 101. Establishment of the Office of Cyberspace Policy

    Section 101 establishes an Office of Cyberspace Policy 
(``the Office'') within the Executive Office of the President 
(EOP). The Section would give the Office the responsibility for 
developing a national strategy to increase the security and 
resiliency of cyberspace as well as for overseeing, 
coordinating and integrating all policies and activities of the 
federal government related to the security and resiliency of 
cyberspace.

Section 102. Appointment and responsibilities of the Director

    Section 102 would require the President to appoint, and the 
Senate to confirm, the Director of the Office. The Director 
would advise the President on all cybersecurity matters, work 
with federal agencies and other EOP offices to ensure the 
implementation of the national strategy, coordinate the 
development of regulations and standards applicable to the 
national information infrastructure by federal agencies, and 
resolve any interagency disputes. The Director would also 
ensure that cybersecurity policies safeguard privacy and civil 
liberties.

Section 103. Prohibition on political campaigns

    Section 103 would prohibit the Director of Cyberspace 
Policy from participating in certain political activities.

Section 104. Review of federal agency budget requests relating to the 
        national strategy

    Section 104 would require the Director of Cyberspace Policy 
to review each federal agency's budget submission to the Office 
of Management and Budget (OMB) to determine the adequacy of the 
request with respect to the implementation of the national 
strategy and to make recommendations to the Director of OMB 
based on the review. The Director of Cyberspace Policy would 
play a crucial role in the budget process, ensuring that agency 
budgets reflect the goals and objectives outlined in the 
National Strategy.

Section 105. Access to intelligence

    Section 105 would give the Director of Cyberspace Policy 
access to any information possessed by a federal agency that is 
relevant to cybersecurity policy, regardless of the 
information's level of classification.

Section 106. Consultation

    Section 106 states that the Director of Cyberspace Policy 
may consult with any Presidential and other advisory bodies 
while executing the responsibilities of the Office.

Section 107. Reports to Congress

    Section 107 would require the Director of Cyberspace Policy 
to report to Congress annually on the activities carried out by 
the Office of Cyberspace Policy. The section would require the 
Director to submit an unclassified and publicly available 
version of the report, although the Committee anticipates that 
the Director may also need to attach a classified, non-public 
annex.

     TITLE II. NATIONAL CENTER FOR CYBERSECURITY AND COMMUNICATIONS


Section 201. Cybersecurity

    Section 201 would amend Title II of the Homeland Security 
Act (HSA) of 2002 to add the sections described below.
            New Section 241 of the HSA
    Section 241 would define the following terms: agency 
information infrastructure, covered critical infrastructure, 
cyber risk, federal information infrastructure, incident, 
information infrastructure, information security, information 
sharing and analysis center, information system, intelligence 
community, management controls, national cyber emergency, 
national information infrastructure, operational controls, 
sector-specific agency, sector coordinating councils, security 
controls, small business concern, and technical controls.
            New Section 242 of the HSA
    Section 242 would establish a National Center for 
Cybersecurity and Communications (NCCC or the Center) within 
the Department of Homeland Security. The Center would be headed 
by a Director appointed by the President and confirmed by the 
Senate. The Director would report directly to the Secretary of 
Homeland Security and serve as the principal advisor to the 
Secretary on cybersecurity and communications matters. The 
Director would also regularly advise the President regarding 
the security of federal government networks. The Center would 
have at least two Deputy Directors, one responsible for 
coordination with DHS's Office of Infrastructure Protection and 
one responsible for coordination with the Intelligence 
Community. The Center would also have staff detailed from the 
Departments of Defense, Justice, and Commerce as well as the 
intelligence community and the National Institute of Standards 
and Technology (NIST). It would also have a full-time Chief 
Privacy Officer who would report to the Director.
    The Director would be responsible for leading the federal 
effort to secure, protect, and ensure the resiliency of the 
information infrastructure of the United States. The Director's 
specific responsibilities would include: assisting in the 
identification, remediation, and mitigation of vulnerabilities; 
providing dynamic, comprehensive, and continuous situational 
awareness; conducting risk-based assessments; assisting NIST in 
developing standards; providing agencies with mandatory 
security controls to mitigate and remediate vulnerabilities; 
developing policies and guidance for federal procurements; 
assisting with international engagement; overseeing the 
development, implementation, and management of external access 
points for federal networks; establishing, developing and 
overseeing capabilities and operations within the United States 
Computer Emergency Readiness Team (US-CERT); fostering 
collaboration with federal, state, and local governments; and 
overseeing the operations of the National Communications 
System.
    As a direct report to the Secretary, the National Center 
for Cybersecurity and Communications would be an operational 
component with the Department, akin to the Transportation 
Security Administration, Customs and Border Protection, and the 
United States Secret Service. This would allow the NCCC to 
manage its own hiring, procurement, and security, ensuring 
these functions are tailored to the needs of the Center and are 
responsive to the Director.
    The two statutory deputies reflect the unique mission of 
the Center. The links among physical infrastructure protection, 
cybersecurity, and communications systems are considerable--and 
growing--and the requirement that one deputy have expertise in 
physical infrastructure protection would facilitate 
coordination across these areas. The intelligence-focused 
deputy, which the Committee assumes would be detailed from the 
National Security Agency, would ensure that the knowledge and 
expertise that resides in the intelligence community is 
integrated into the NCCC from the outset.
    The Committee places critical importance on safeguarding 
privacy rights and civil liberties. The bill would create a 
full-time Privacy Officer for the Center to ensure that privacy 
and civil liberties are taken into account in every aspect of 
Center's policy and operations. The Committee encourages the 
Privacy Officer to regularly engage with the DHS Chief Privacy 
Officer, the White House Office of Cyberspace Policy, and non-
governmental privacy and civil liberties experts to share 
information and ensure coordination.
    New Section 242 also authorizes the Director to analyze the 
budgets of other federal agencies and make recommendations to 
OMB and the White House Office of Cyberspace Policy regarding 
the adequacy of the proposed budgets to secure federal 
networks. The NCCC would have relevant information on the state 
of the federal information infrastructure which would give it a 
unique ability to provide input on the adequacy of agency 
budget requests.
            New Section 243 of the HSA
    Section 243 would require the Director of the Center and 
the Assistant Secretary for Infrastructure Protection to 
coordinate on matters regarding the security and resiliency of 
the nation's critical infrastructure.
            New Section 244 of the HSA
    Section 244 would codify the United States Computer 
Emergency Readiness Team (US-CERT) within the NCCC. US-CERT 
would be responsible for the collection, coordination, and 
dissemination of information regarding risks to the federal 
information infrastructure and the enhancement of the security 
of the national information infrastructure. US-CERT would serve 
as the primary point of contact within the NCCC for other 
federal agencies, state and local governments, and the private 
sector.
    US-CERT would provide analysis and report to federal 
agencies on the security of their networks; provide continuous, 
automated monitoring of the federal information infrastructure 
at the external access points; develop, recommend, and deploy 
security controls; support federal agencies in conducting risk 
assessments; develop predictive analysis tools; and aid in the 
detection of and warn owners/operators of the national 
information infrastructure regarding risks. US-CERT would 
designate a principal point of contact for each federal agency 
in order to maintain regular communication and respond to 
inquiries or requests.
            New Section 245 of the HSA
    Section 245 would give the Director of the NCCC access to 
any information possessed by a federal agency that is relevant 
to the execution of the responsibilities of the position.
    The section would also authorize the Director to conduct 
risk-based operational evaluations (known as ``red teaming'' 
and ``blue teaming'') to evaluate the security of the federal 
information infrastructure. If the Director determines through 
the operational evaluation that a federal agency is not in 
compliance with federal guidelines, the Director, working in 
conjunction with the head of the agency, may direct the 
implementation of corrective measures and mitigation plans. If 
the agency fails to take the directed corrective measures and 
this failure presents a significant risk to the federal 
information infrastructure, the Director may direct the 
isolation of the agency's information infrastructure, 
consistent with the contingency or continuity of operations 
plans applicable to that agency, until the agency takes 
necessary corrective measures.
            New Section 246 of the HSA
    Section 246 would give the Director of the NCCC 
responsibility for developing information sharing programs 
between and among federal agencies, state and local 
governments, the private sector, and international partners. 
The Center would establish policies and procedures for sharing 
classified and unclassified information relevant to the 
security of the federal and national information 
infrastructure, including threats, vulnerabilities, incidents, 
and anomalous activities. The policies and procedures would 
establish mechanisms for sharing the information, offer 
guidance on what information should be shared, and protect the 
information from disclosure.
    The Committee expects the Director of the Center to develop 
standard operating procedures for sending and receiving 
information from agencies; protocols for how information would 
be requested; and how routine and urgent information requests 
are distinguished. The Director should also ensure that each 
Federal agency has continual access to the agency data 
collected by US-CERT, including raw data.
    This section would require owners and operators of covered 
critical infrastructure to report to the NCCC significant 
breaches of their networks that could lead to the disruption of 
the critical functions of the covered critical infrastructure. 
The section also directs the NCCC to develop guidance on the 
form and content of these incident reports. In so doing, the 
Committee expects the guidelines will help avoid overly 
burdensome notifications on routine threats and focus reporting 
on only those incidents that could undermine the reliable 
operation of the system and cause a catastrophe. The bill, 
however, explicitly clarifies that this requirement does not 
affect the Wiretap Act, the Electronic Communications Privacy 
Act, or the Foreign Intelligence Surveillance Act, or otherwise 
authorize the Department to compel the disclosure of 
information from a private sector entity.
            New Section 247 of the HSA
    Section 247 would direct the Director of the NCCC to engage 
regularly with standards setting bodies to encourage the 
development of, and recommend changes to, cybersecurity 
standards and guidelines. The Director would also establish a 
program to promote cybersecurity best practices and provide 
technical assistance relating to the implementation of best 
practices, and related standards and guidelines, for securing 
the national information infrastructure. The section directs 
that to the extent practicable, these best practices should be 
based on existing standards developed by the private sector or 
standard setting bodies. The Committee understands that often 
cybersecurity standards are written in a manner that only 
technical experts can implement. The Committee expects that 
best practices targeted at the national information 
infrastructure will be prioritized, easily understandable or 
accompanied by implementation guidance, and informed by both 
classified and unclassified threat information analyzed by the 
Center.
            New Section 248 of the HSA
    Section 248 would require the Director to work with the 
private sector and relevant sector-specific agencies to 
identify and evaluate cyber risks to covered critical 
infrastructure on a sector-by-sector basis. The section would 
require the Director to complete this evaluation and report to 
Congress on these efforts within 120 days of the passage of 
this Act.
    The section then would require the Director to work with 
the private sector and relevant sector-specific agencies to 
issue interim final regulations establishing risk-based 
security performance requirements to secure covered critical 
infrastructure against identified cyber risks. The NCCC would 
inform owners and operators of covered critical infrastructure 
of identified vulnerabilities. The owners and operators would 
then inform the Director of which security measures they intend 
to implement to meet the performance requirements. Owners and 
operators would have the flexibility to implement any security 
measure that the Director determines satisfies the security 
performance requirements. The Director, however, would not have 
the authority to mandate any specific security measure--only 
that the measures selected by the owners and operators meet the 
applicable risk-based security performance requirements. 
Consistent with any applicable treaty obligations, the Director 
would also work with owners and operators of critical 
infrastructure outside the United States to inform them of 
cyber risks and appropriate security measures.
            New Section 249 of the HSA
    Section 249 states that if the President determines there 
is a threat of an actual or imminent effort to exploit cyber 
risks to covered critical infrastructure, the President may 
declare a National Cyber Emergency, with notification to 
Congress and owners and operators of affected covered critical 
infrastructure. The notification to Congress must include the 
nature of the threat, the reason existing security measures are 
deficient, and the proposed emergency measures needed to 
address the threat. If the President exercises this authority, 
the Director of the NCCC could issue mandatory emergency 
measures necessary to preserve the reliable operation of 
covered critical infrastructure. Owners and operators of the 
covered critical infrastructure would be allowed to propose and 
implement alternative security measures if the Director 
determined that these proposed measures were as effective as 
the directed measures. Emergency declarations could be extended 
by the President in 30-day increments; however, Congressional 
approval would be required for any extension of a National 
Cyber Emergency beyond 120 days. Owners and operators of 
covered critical infrastructure who comply with the 
requirements could, in certain circumstances, receive liability 
protections that range from limitations on punitive and non-
economic damages to indemnifications by the United States 
Government for damages attributable to the implementation of 
certain security measures.
    The Committee does not intend for the exercise of any 
authority provided by this section to preclude owners and 
operators from taking other actions to secure their systems, so 
long as they implement the directed measures or approved 
alternatives and the additional measures do not undermine the 
directed or approved alternative measures.
            New Section 250 of the HSA
    Section 250 would require owners and operators of covered 
critical infrastructure to certify annually and in writing to 
the Director of the Center that they are in compliance with the 
security requirements established under Section 249. The 
section would authorize the Director to perform evaluations of 
the covered infrastructure to determine compliance. The 
Committee believes the Director of the Center should, where 
possible, utilize existing federal resources to assist in the 
evaluations. Failure to comply with the regulations could 
result in civil penalties. Owners and operators of covered 
critical infrastructure who submit to DHS evaluations, 
successfully demonstrate compliance with their approved 
security measures during the evaluation, and can prove 
compliance at the time of any breach would receive protection 
from punitive and certain non-economic damages associated with 
that breach.
            New Section 251 of the HSA
    Section 251 would require the NCCC to protect from public 
disclosure sensitive information submitted to the Center and to 
issue guidelines detailing how information, including 
information regarding threats, vulnerabilities, and incidents, 
would be shared with appropriate government and private sector 
partners.
            New Section 252 of the HSA
    Section 252 would require the heads of each sector-specific 
agency and the heads of other federal agencies with 
responsibilities for regulating covered critical infrastructure 
to coordinate with the Director of the Center on activities 
related to the security and resiliency of the national 
information infrastructure. The section directs the Director of 
the Center and heads of agencies with sector-specific 
responsibilities to avoid duplication in reporting requirements 
wherever possible. These agencies would also have to coordinate 
with the Director prior to establishing any requirements or 
other measures related to the security of the national 
information infrastructure to ensure, to the maximum extent 
practicable, that the federal government takes a coordinated 
approach to any regulations or other matters related to 
cybersecurity.
            New Section 253 of the HSA
    Section 253 requires the Secretary of DHS, with other 
federal agencies and the private sector, to develop, update, 
and implement a supply chain risk management strategy that 
would ensure the security of the communications and information 
technology products and services purchased by the federal 
government. The Federal Acquisition Regulatory Council would be 
required to amend the Federal Acquisition Regulation to 
implement the supply chain risk management strategy. The 
section maintains existing preference for the procurement of 
commercial off-the-shelf products and services.

           TITLE III. FEDERAL INFORMATION SECURITY MANAGEMENT


Section 301. Coordination of Federal Information Policy

    Section 301 would amend the Federal Information Security 
Management Act of 2002 (FISMA) by striking subchapters II and 
III of chapter 35 of Title 44, United States Code, (44 U.S.C. 
Sec. Sec. 3541, et seq.) and inserting the following sections. 
Many of the original FISMA requirements are retained in this 
language. The section-by-section analysis below refers to the 
new sections of Title 44, as amended by this bill.
            New Section 3550. Purposes
    Section 3550 states that the purpose of Title III is to 
provide a comprehensive risk-based framework that enhances the 
effectiveness of information security controls in the federal 
information infrastructure; recognizes the highly networked 
nature of the current federal information infrastructure 
environment; and provides for the development and maintenance 
of controls required to protect the federal information 
infrastructure.
            New Section 3551. Definitions
    Section 3551 would define the following terms: agency 
information infrastructure, automated and continuous 
monitoring, incident, information infrastructure, information 
security, information technology, management controls, national 
security system, operational controls, risk, risk-based 
security, security controls, and technical controls.
            New Section 3552. Authority and functions of the National 
                    Center for Cybersecurity and Communications
    Section 3552 would task the Director of the NCCC with the 
responsibility for developing, overseeing, and enforcing 
information security throughout the federal government, a task 
previously assigned to OMB's Office of Electronic Government 
and Information Technology. Specifically, the Director of the 
NCCC would have responsibility for providing agencies with 
prioritized risk-based security controls that would mitigate 
and remediate vulnerabilities, attacks, and exploitations. In 
addition, this section would require the Director of the NCCC 
to ensure agencies comply with government-wide policies and to 
review the effectiveness of agency information security 
programs at least annually.
            New Section 3553. Agency responsibilities
    Section 3553 would require agency heads to follow NCCC 
policies and to develop and maintain effective risk-based 
information security programs. In order to accomplish this, the 
section would require each agency head to delegate to a senior 
official, known as a Chief Information Security Officer (CISO), 
the authority to develop, oversee, and enforce risk-based 
information security policies that are integrated into the 
strategic and operational processes of the agency. The CISO's 
authority would extend to the entire agency, including 
contractors operating on behalf of the agency. To the extent 
possible, this section requires the CISO to automate their 
agency's defenses to detect, report, and respond to security 
incidents. The section would shift resources away from the 
wasteful, paperwork-laden compliance process required by 
current law and emphasize active detection and prevention of 
threats. Specifically, each agency would have to adopt an 
agency-wide security program, which would be approved by the 
NCCC and include the following: risk-based vulnerability 
assessments and penetration tests on agency networks; 
procedures to ensure that information security vulnerabilities 
are remediated in a timely fashion; role-based security 
awareness training for employees; automated and continuous 
monitoring of network defenses; and plans and procedures to 
ensure the continuity of operations for information systems 
that support the operations and assets of the agency. This 
section would allow CISOs to mandate more stringent standards 
than those required by the Director of the NCCC. If an incident 
does occur and information or an information system is 
compromised, this section would make the CISO responsible for 
mitigating and remediating the problem as quickly as possible 
and for reporting any incidents to the appropriate authorities. 
Finally, this section would require each agency to submit an 
annual report on the effectiveness of their information 
security program to Congress, the Government Accountability 
Office, and the NCCC.
            New Section 3554. Annual operational evaluation
    Section 3554 would require each agency to conduct annual 
operational evaluations (also known as ``red-teaming'' and 
``blue-teaming'') to test the information security program the 
agency developed pursuant to Section 3553. The operational 
evaluations would be overseen by the Director of the NCCC and 
prioritized based on risk. Following an operational evaluation, 
the CISO would have to submit a risk-based corrective action 
plan to the Director of the NCCC for mitigating and remediating 
any vulnerabilities identified as a result of the evaluation. 
The Director of the NCCC would have fifteen days upon receipt 
of the plan to approve, disapprove, and comment on the 
effectiveness of the plan. If the Director approves the plan, 
then the agency head must ensure that the plan is implemented. 
In the event that an operational evaluation brings to light 
severe deficiencies which represent a significant danger to the 
federal information infrastructure, then the Director of the 
NCCC may order the isolation of any system from the federal 
information infrastructure, consistent with the continuity of 
operations plans applicable to that agency, until the agency 
takes necessary corrective measures.
            New Section 3555. Federal Information Security Taskforce
    Section 3555 would establish a Federal Information Security 
Taskforce within the Executive Branch. The Director of the NCCC 
would head the Taskforce, whose members would include the 
Administrator of the Office of Electronic Government; the CISO 
of every agency; the CISOs of the Army, Navy, and Air Force; 
representatives from the Office of the Director of National 
Intelligence, US--CERT, the Intelligence Community Incident 
Response Center, the Committee on National Security Systems, 
the National Institute of Standards and Technology, and state 
and local government; and any other person designated by the 
chairperson. The Taskforce would serve as the principal 
interagency forum for agencies to develop and share best 
practices for enhancing the security of their systems and 
networks. The Taskforce would be the vehicle through which the 
Director of the NCCC establishes policies and guidelines to 
conduct operational evaluations required under Section 3554. In 
addition, the Taskforce would promote the development and use 
of standard performance measures for agency information 
security that are outcome-based, focus on risk management, 
align with business and program goals of the agency, measure 
improvements over time, and reduce burdensome compliance 
measures. The Taskforce would sunset after four years unless 
extended by Executive Order or an act of Congress.
            New Section 3556. Independent assessments
    Section 3356 would require Inspectors General to assess the 
effectiveness of agency information security programs at least 
every two years.
            New Section 3557. Protection of information
    Section 3557 would require agencies to protect any 
information accessed as a result of activities carried out 
under this Subchapter.
            New Section 3558. Department of Defense and Central 
                    Intelligence Agency systems
    Section 3558 would require the Secretary of Defense and the 
Director of the Central Intelligence Agency to assume the 
responsibilities of the Director of the National Center for 
Cybersecurity and Communications as it relates to their agency 
information infrastructure. This requirement is consistent with 
the treatment of the systems of the Department of Defense and 
the Central Intelligence Agency under current law.

           TITLE IV. RECRUITMENT AND PROFESSIONAL DEVELOPMENT


Section 401. Definitions

    Section 401 would define the terms cybersecurity mission 
and federal agency's cybersecurity mission.

Section 402. Assessment of cybersecurity workforce

    Section 402 would require the Director of the Office of 
Personnel Management (OPM) to assess the readiness and capacity 
of the federal workforce to meet the needs of the federal 
government's cybersecurity mission. The section would require 
OPM, within 180 days of enactment, to develop and implement a 
comprehensive workforce strategy which includes a five-year 
plan on recruitment of personnel and ten- and twenty-year 
projections of workforce needs. The Committee anticipates that 
OPM would identify areas in the science, technology, 
engineering, and math fields where additional emphasis needs to 
be placed to train and recruit candidates.

Section 403. Strategic cybersecurity workforce planning

    Section 403 would require the head of each federal agency 
to develop a strategic cybersecurity workforce plan detailing 
how the agency plans to recruit, hire, and train necessary 
cybersecurity personnel. Each agency would have to assess its 
own needs to determine how to increase and improve their 
workforce in this area.

Section 404. Cybersecurity occupation classifications

    Section 404 would require the Director of OPM to develop 
and issue comprehensive occupation classifications for federal 
employees engaged in the cybersecurity mission. The section 
would require OPM to ensure that the classifications could be 
used government-wide so as to facilitate the movement of cyber 
personnel between federal agencies.

Section 405. Measures of cybersecurity hiring effectiveness

    Section 405 would require each agency head to develop a 
system to measure the effectiveness of the agency's recruitment 
and hiring program.

Section 406. Training and education

    Section 406 would require the Director of OPM to establish 
a cybersecurity awareness program for all federal employees and 
federal contractors and a program to provide training to 
improve the technical skills and capabilities of federal 
employees engaged in the cybersecurity mission. Very few jobs 
in the federal government do not require access to computers 
and networks, and as such the Committee believes all employees 
or contractors should have a baseline of cybersecurity 
knowledge.
    The Director of OPM would be required to develop and 
implement a strategy to provide federal employees who work in 
cybersecurity missions with the opportunity to obtain 
additional education at the expense of the government. The 
federal government is competing with the private sector for a 
small pool of highly skilled cyber experts, and the Committee 
believes that offering educational opportunities that compare 
with those in the private sector would improve recruitment and 
retention, as well as improve the overall expertise of the 
workforce.
    The Secretary of Education, working with state and local 
governments, would be required to develop curriculum standards, 
guidelines, and recommended courses to address cyber safety, 
cybersecurity, and cyber ethics for students in kindergarten 
through grade twelve, as well as undergraduate, graduate, 
vocational, and technical institutions.
    The Director of OPM would also develop strategies and 
programs to recruit students from undergraduate, graduate, 
vocational, and technical institutions to serve as federal 
employees working in cyber missions. The Director of OPM would 
provide internships and part-time work opportunities for 
students from the above institutions.
    The Director of the NCCC would be required to establish a 
program to advance national and statewide cyber competitions 
and challenges that can identify talented individuals and 
encourage them to pursue careers in cybersecurity. The 
challenges should focus on developing and testing student 
talent in all aspects of cybersecurity with particular focus on 
hacking, penetration testing, vulnerability assessment, cyber 
forensics, and offensive and defensive operations.

Section 407. Cybersecurity incentives

    Section 407 would require that when the President or an 
agency head awards bonuses to recognize a federal employee, 
they must consider the success of that employee in fulfilling 
the objectives of the National Strategy. The head of an agency 
would also have to adopt best practices regarding effective 
ways to educate and motivate employees to demonstrate 
leadership in cybersecurity.

Section 408. Recruitment and Retention Program for the National Center 
        for Cybersecurity and Communications

    Section 408 would direct the Director of the NCCC to 
establish a program to recruit and retain highly skilled 
personnel to carry out the mission of the Center. The section 
would give the Director authority to: directly appoint up to 
500 cybersecurity specialists into the competitive service; 
grant competitive status to individuals previously appointed to 
an excepted service position; pay up to 20 employees a salary 
up to level I of the Executive Schedule and, with the direct 
approval of the Secretary of Homeland Security, up to 5 
employees a salary up to that of the Vice President; offer 
retention bonuses to cybersecurity specialists likely to leave 
the Department for another federal agency; and to pay entry-
level employees a salary higher than currently designated for 
their position on the General Schedule. These authorities would 
sunset after 3 years. The creation of the NCCC would be a 
significant undertaking, and these personnel authorities are 
intended to provide the Secretary with the flexibility to 
recruit highly skilled workers quickly and to retain them long-
term.

                       TITLE V. OTHER PROVISIONS


Section 501. Cybersecurity research and development

    Section 501 would amend the Homeland Security Act of 2002 
to add a new Section 238 encouraging cybersecurity research and 
development and a new Section 239 to establish the National 
Cybersecurity Advisory Council.
            New Section 238 of the HSA
    Section 238 would create a research and development program 
within the Science and Technology Directorate of the Department 
of Homeland Security to improve the security of the nation's 
information infrastructure. A crucial element of this research 
and development program would be coordination with the NCCC.
            New Section 239 of the HSA
    Section 239 would direct the Secretary of Homeland Security 
to establish the National Cybersecurity Advisory Council to 
advise the Secretary and the Director of the Center on the 
implementation of cybersecurity provisions affecting the 
private sector. The Committee also expects the Council to 
advise and provide input on other parts of the Department's 
cybersecurity agenda. Members of the Council would be appointed 
by the Director and include representatives of covered critical 
infrastructure; academic institutions with expertise in 
cybersecurity; federal, state, and local government agencies 
with expertise in cybersecurity; and a representative of the 
National Security Telecommunications Advisory Council, the 
Information Technology Sector Coordinating Council, and the 
Communications Sector Coordinating Council.

Section 502. Prioritized Critical Information Infrastructure

    Section 502 would amend the Homeland Security Act of 2002 
to require the Secretary to consider certain cybersecurity 
factors when establishing the Prioritized Critical 
Infrastructure List required under section 210E(a)(2). This 
section would also create a new section 254 in the Homeland 
Security Act.
            New Section 254 of the HSA. Covered critical infrastructure
    Section 254 would direct the Secretary of Homeland Security 
to establish and maintain a list of covered critical 
infrastructure, based on the Prioritized Critical 
Infrastructure List established under section 210E(a)(2). These 
designated systems would be subject to the risk-based security 
performance requirements established in Title II. The Secretary 
could add or delete systems or assets from the list established 
under 210E(a)(2) based on the consideration of cybersecurity. 
The Secretary would be required to notify the owner or operator 
of the system or asset added to the list as soon as practicable 
and afford the owner or operator the opportunity to provide 
information regarding the appropriateness of adding the system 
or asset to the list. This section would also establish a 
redress process for owners and operators of covered critical 
infrastructure to appeal their designations. While appeals are 
being considered, entities on the list would be required to 
comply with any requirements applicable to covered critical 
infrastructure under Title II.

Section 503. National Center for Cybersecurity and Communications 
        acquisition authorities

    Section 503 would give the NCCC the same procurement 
flexibilities currently available to the Department of Defense, 
NASA and the Coast Guard that allow narrow exceptions to normal 
competitive procedures for procurements that may be satisfied 
by only a limited number of responsible sources, or for follow-
on contracts for the continued provision of highly specialized 
services. In order to ensure that these exceptions are used 
only when necessary, section 503 requires that these 
authorities would be subject to justification and approval 
procedures, and the authorities would terminate three years 
after the date of enactment of this Act. The Director would 
have to report on a semiannual basis to Congress on the use of 
the authority granted under this section.

Section 504. Evaluation of the effective implementation of Office of 
        Management and Budget information security related policies and 
        directives

    Section 504 would require an evaluation of existing OMB 
policies, memoranda, and directives relating to information 
security to determine how well they have been implemented and 
to make recommendations for improvement. The Administrator for 
Electronic Government and Information Technology, in 
coordination with the Chief Information Officers Council, the 
Federal Information Security Taskforce created in Title III, 
and the Council of Inspectors General on Integrity and 
Efficiency, would conduct the evaluation, which would be 
delivered to Congress. This section specifies that the review 
should include existing policies on file sharing technology, 
privacy provisions, and breaches of Personally Identifiable 
Information, among other information security-related policies.

                  V. Regulatory Impact and Evaluation

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill. S. 3480 would 
require owners and operators of the nation's most critical 
infrastructure to comply with new risk-based security 
requirements. The Committee agrees with Congressional Budget 
Office's (CBO) assessment, noted in its cost estimate included 
in section VI below, that although the new federal regulations 
would impose intergovernmental and private-sector mandates as 
defined in the Unfunded Mandates Reform Act, the cost of 
complying with the regulatory requirements in the bill is 
dependent on future regulations and therefore cannot be 
accurately estimated at this time. However, the Committee does 
not agree with CBO's assessment that more than 50,000 companies 
could be subject to these requirements. The bill specifically 
states that the requirements will only apply to systems or 
assets that if disrupted or destroyed would cause regional or 
national catastrophic consequences, and the Committee does not 
believe there are 50,000 entities that will meet this high bar. 
Moreover, the risk-based performance requirements are designed 
to apply only to particularly critical systems or assets and 
not entire companies.

             VI. Congressional Budget Office Cost Estimate

                                                November 17, 2010. 
Hon. Joseph I. Lieberman,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 3480, the Protecting 
Cyberspace as a National Asset Act of 2010.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                             Douglas W. Elmendorf. 
    Enclosure.

S. 3480--Protecting Cyberspace as a National Asset Act of 2010

    Summary: S. 3480 would amend the Federal Information 
Security Management Act of 2002 (FISMA) to strengthen and 
coordinate security controls over computer information systems 
across federal civilian agencies. In addition, the legislation 
would aim to increase the security of privately owned computer 
networks for online communication and prevent intentional 
disruptions of such networks. S. 3480 would establish new 
offices, require additional testing of computer systems, and 
provide federal agencies with new authorities and 
responsibilities related to information security.
    Based on information from the Department of Homeland 
Security (DHS), the Office of Management and Budget (OMB), and 
other major agencies involved in cybersecurity, CBO estimates 
that implementing S. 3480 would cost $1.5 billion over the 
2011-2015 period, assuming appropriation of the necessary 
amounts. Most of those funds would be spent on salaries, 
expenses, and computer hardware and software.
    The bill would, under certain circumstances, indemnify 
owners of critical infrastructure who implement emergency-
response plans required by the federal government. CBO 
estimates that this authority would increase direct spending by 
$10 million over the 2011-2020 period to pay claims against the 
U.S. government; therefore, pay-as-you-go procedures apply. 
Enacting the legislation would not affect revenues.
    S. 3480 would impose intergovernmental and private-sector 
mandates, as defined in the Unfunded Mandates Reform Act 
(UMRA), on owners and operators of information systems 
designated as critical infrastructure by DHS. Owners and 
operators of such systems would have to comply with new 
security standards and procedures. The bill also would impose a 
mandate by limiting the damages that users of critical 
infrastructure can seek from owners and operators of such 
systems for incidents related to cyber risks.
    Because the cost to comply with new security standards 
would depend on future regulations and because of uncertainty 
about the number of such claims that would be filed in the 
absence of this legislation, CBO cannot determine whether the 
aggregate cost of the mandates in the bill would exceed the 
annual thresholds established in UMRA for intergovernmental or 
private-sector mandates ($70 million and $141 million in 2010, 
respectively, adjusted annually for inflation).
    CBO has not reviewed provisions of the bill that would 
allow the President to declare a national emergency and 
implement emergency-response and restoration plans. Section 4 
of UMRA excludes from the application of that act any 
legislative provisions that are necessary for national 
security. CBO has determined that those provisions fall within 
that exclusion.
    Estimated Cost to the Federal Government: The estimated 
budgetary impact of S. 3480 is shown in the following table. 
The costs of this legislation fall within budget functions 050 
(national defense) and 800 (general government).

----------------------------------------------------------------------------------------------------------------
                                                                 By fiscal year, in millions of dollars--
                                                         -------------------------------------------------------
                                                            2011     2012     2013     2014     2015   2011-2015
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATIONa

Changes to Information Security Management:
    Estimated Authorization Level.......................      100      175      225      300      325     1,125
    Estimated Outlays...................................       80      160      215      285      320     1,060
National Center for Cybersecurity and Communications:
    Estimated Authorization Level.......................       50       50       51       52       53       256
    Estimated Outlays...................................       27       44       49       50       51       221
Office of Cyberspace Policy:
    Estimated Authorization Level.......................       10       20       30       31       32       123
    Estimated Outlays...................................        8       18       28       30       31       115
Other Provisions:
    Estimated Authorization Level.......................       20       20       20       20       20       100
    Estimated Outlays...................................       19       20       20       20       20        99
    Total Changes:
        Estimated Authorization Level...................      180      265      326      403      430     1,604
        Estimated Outlays...............................      134      242      312      385      422    1,495
----------------------------------------------------------------------------------------------------------------
aS. 3480 also would increase direct spending by $10 million over the 2016-2020 period, CBO estimates, because of
  a provision that would, under certain circumstances, indemnify owners of critical infrastructure who comply
  with government-ordered procedures during a cyber emergency.
Note:  Components may not sum to totals because of rounding.

    Basis of Estimate: For this estimate, CBO assumes that the 
bill will be enacted in calendar year 2010, that the necessary 
amounts will be appropriated each year, and that spending will 
follow historical patterns for salaries and expenses related to 
securing federal information systems. CBO estimates that 
implementing S. 3480 would cost about $1.5 billion over the 
2011-2015 period.

Changes to information security management

    Under S. 3480, agencies would be required to perform new 
activities, including:
           Automated monitoring of systems to secure 
        information;
           Testing of information security controls;
           Evaluating information security programs and 
        practices; and
           Establishing a Federal Information Security 
        Task Force.
    Most of the provisions of the bill would expand practices 
already being carried out by the federal government under 
FISMA. In 2009, federal agencies spent nearly $7 billion on 
such activities. That amount includes about $300 million for 
certification and accreditation activities (the processes used 
by all federal agencies to assess, test, and accept the 
security controls that protect information systems). FISMA also 
sets forth a comprehensive framework for ensuring that security 
controls for information resources that support federal 
operations and assets are effective. Specifically, FISMA 
requires the head of each agency to provide protections that 
would be commensurate with the risk and magnitude of harm that 
would result from the unauthorized access, use, disclosure, 
disruption, modification, or destruction of the information and 
systems used or operated by each agency.
    Based on information from OMB and other selected agencies, 
CBO estimates that when fully implemented, the new activities 
specified in S. 3480 would increase federal spending for FISMA 
activities by about 4 percent--about $300 million annually. CBO 
expects that it would take about four years to reach that level 
of effort for the thousands of federal computer systems 
currently operating. Over the 2011-2015 period, we estimate 
that implementing those new requirements and authorities would 
cost about $1 billion, assuming appropriation of the necessary 
amounts.

National Center for Cybersecurity and Communications

    Section 201 would establish the National Center for 
Cybersecurity and Communications (NCCC) within the Department 
of Homeland Security. The new center would be responsible for 
leading DHS's efforts to secure federal civilian networks and 
work with state and local governments and the private sector to 
secure the nation's information infrastructure. The bill would 
transfer the authorities, personnel, and other assets of DHS's 
National Cybersecurity Division, the Office of Emergency 
Communications, and the National Communications System to the 
NCCC.
    Although the bill would transfer existing assets and funds 
to the NCCC, CBO anticipates that the mission of the new NCCC 
would require additional funding to implement. In particular, 
the bill would require more extensive testing of federal and 
private information systems. In its 2011 budget justification, 
DHS outlined a plan to spend approximately $10 million to 
conduct 27 assessments of the federal government's information 
systems. Based on that information, CBO estimates that 
conducting the cyber assessments envisioned by the bill would 
cost an additional $220 million over the 2011-2015 period, 
assuming appropriation of the necessary amounts.

Office of Cyberspace Policy

    The Executive Office of the President currently employs a 
coordinator to manage cybersecurity policies. Title I would 
expand that role and establish an Office of Cyberspace Policy 
within the Executive Office of the President. The office would 
advise the President and help coordinate all cybersecurity 
regulations, standards, and strategies.
    Based on information provided by OMB and the cost of 
similar offices and programs, CBO estimates that creating the 
new office would cost about $30 million a year once fully 
implemented. We expect that the office would steadily expand 
its budget and staff over three years before it reached that 
level of effort and estimate that implementing the title would 
cost $115 million over the 2011-2015 period.

Other provisions

    The legislation also would require federal agencies to:
         Assess the skills of information security 
        employees;
         Prepare plans to train information security 
        workers; and
         Establish a National Cybersecurity Advisory 
        Council.
    Based on information from DHS and OMB, CBO estimates that 
implementing those provisions would cost about $20 million 
annually over the 2011-2015 period.

Direct spending

    Under the bill, the Director of the NCCC would be 
authorized to require owners of critical infrastructure (assets 
essential to society and the economy, including facilities for 
energy production, telecommunications, public health, and food 
and water supply) to implement response plans if a national 
cyber emergency was declared by the President. Although the 
probability is very low, such a plan could involve an 
interruption of service in the telecommunications or electric 
power sectors. Section 201 would indemnify the owners of such 
infrastructure in civil actions if implementation of those 
response plans resulted in the serious physical injury or death 
of an individual or substantial damage or destruction of an 
individual's primary residence. Any claims against the 
government related to indemnifying such entities would be paid 
from the Judgment Fund (a permanent, indefinite appropriation 
for claims and judgments against the United States) and would 
be considered direct spending.
    CBO has determined that cyber attacks on electrical 
utilities and telecommunications providers would present the 
biggest potential for liability under this section because an 
interruption of service in those sectors could affect emergency 
response services. Because there is no relevant historical data 
on which to determine the probability of an attack that would 
trigger the implementation of such plans, CBO consulted with 
numerous cyber security and cyber insurance experts. CBO based 
its estimate of the costs of indemnifying entities on 
information derived from those discussions including the 
likelihood of a widespread, high-impact cyber event and on an 
analysis of the potential liability if there was an 
interruption of electrical power or telecommunications services 
in a large metropolitan area. Based on that analysis, CBO 
estimates that enacting this provision would increase direct 
spending by $10 million over the 2016-2020 period. Since CBO 
cannot predict the value of claims that might be paid in any 
particular year, our estimate of the cost represents the sum of 
a weighted average of payments from the Judgment Fund over the 
2016-2020 period. Since CBO anticipates that any potential 
litigation involving such claims would be lengthy, we estimate 
that this provision would not affect direct spending over the 
2011-2015 period.
    Pay-As-You-Go considerations: The Statutory Pay-As-You-Go 
Act of 2010 establishes budget reporting and enforcement 
procedures for legislation affecting direct spending or 
revenues. S. 3480 could affect direct spending by agencies not 
funded through annual appropriations, such as the Tennessee 
Valley Authority and the Bonneville Power Administration; 
therefore, pay-as-you-go procedures apply. CBO estimates, 
however, that any net increase in annual spending by those 
agencies would not be significant and enacting the legislation 
would not affect revenues.
    In addition, the bill would affect direct spending because 
of a provision that would, under certain circumstances, 
indemnify owners of critical infrastructure who comply with 
government-ordered procedures during a cyber emergency. CBO 
estimates that enacting that provision would increase direct 
spending by $10 million over the 2016-2020 period.
    In total, the net budgetary changes in the bill subject to 
pay-as-you-go procedures would be insignificant over the 2011-
2015 period and $10 million over the 2016-2020 period.
    Intergovernmental and private-sector impact: S. 3480 
contains several intergovernmental and private-sector mandates, 
as defined in UMRA. Because of uncertainty about the nature or 
scope of some of the mandates, CBO cannot determine whether the 
aggregate cost of the mandates in the bill would exceed the 
annual thresholds established in UMRA for intergovernmental or 
private-sector mandates ($70 million and $141 million in 2010, 
respectively, adjusted annually for inflation).

Mandates that apply to both intergovernmental and private-sector 
        entities

    Cyber protection. The bill would impose intergovernmental 
and private-sector mandates, as defined in UMRA, on owners and 
operators of information systems designated as critical 
infrastructure by DHS. Owners and operators of such systems 
would have to comply with new security standards and reporting 
requirements. Critical infrastructure could include information 
systems for public and private transportation systems, police 
and fire departments, airports, hospitals, electric utilities, 
health departments, water systems, and financial companies. 
Based on information from government and industry sources, CBO 
estimates that more than 50,000 public entities could be 
subject to the mandates. Further, a study by the Government 
Accountability Office indicates that the private sector owns 
more than 85 percent of the nation's critical infrastructure.
    The bill would require owners and operators of information 
systems designated as critical infrastructure to comply with 
standards for managing cybersecurity risks and to certify in 
writing that they are in compliance with those standards. 
Because the costs of complying with the mandate would depend on 
future regulations, CBO has no basis for estimating the cost of 
the mandates on public or private-sector entities, primarily 
because it is not clear which entities would be affected or 
whether future regulations would differ significantly from 
current practices.
    S. 3480 also would require affected entities to report 
incidents that could indicate a risk to cybersecurity. CBO 
estimates that the cost of complying with this mandate to 
public and private entities would be small relative to the 
annual thresholds.
    Liability limits. The bill also would impose a mandate by 
limiting the damages that may be recovered from owners and 
operators of critical infrastructure for incidents related to 
cyber risks. Compensation for certain damages would only be 
limited for claims against owners and operators that comply 
with the cybersecurity standards issued by DHS. Because we are 
uncertain about both the value of awards in such cases and the 
number of claims that would be filed in the absence of this 
legislation, CBO cannot determine whether the cost of the 
mandate would exceed the annual thresholds for 
intergovernmental or private-sector mandates.

Provisions excluded under UMRA

    CBO has not reviewed provisions of the bill that would 
allow the President to declare a national cyber emergency and 
implement emergency-response and restoration plans. Section 4 
of UMRA excludes from the application of that act any 
legislative provisions that are necessary for national 
security. CBO has determined that those provisions fall within 
that exclusion.
    Estimate prepared by: Federal costs: Matthew Pickford and 
Jason Wheelock; Impact on state, local, and tribal governments: 
Elizabeth Cove Delisle; Impact on the private sector: Samuel 
Wice.
    Estimate approved by: Theresa Gullo, Deputy Assistant 
Director for Budget Analysis.

               COMMITTEE COMMENTS REGARDING COST ESTIMATE

    The Committee questions portions of the cost estimate 
prepared by the Congressional Budget Office (CBO). CBO 
estimated that changes to information security management 
required by Title III of S. 3480 would increase federal 
spending for activities under the Federal Information Security 
Management Act (FISMA) by about 4 percent, or $1 billion over a 
5-year period. Yet in 2008, CBO estimated that S. 3474, a bill 
to amend FISMA that would have placed more burdensome and 
costly reporting and compliance obligations on federal agencies 
than does S. 3480, was estimated to increase FISMA spending by 
only 2 to 3 percent, or $570 million over a 5-year period. The 
Committee believes that by modernizing FISMA, S. 3480 will 
reduce both the current cost and the burden of federal 
information security. The Committee notes that provisions in S. 
3480 are far less burdensome on agencies than even those in S. 
3474. For example, unlike S. 3474, S. 3480 calls for 
operational evaluations, rather than more stringent ``audits;'' 
allows Inspectors General to leverage existing work rather than 
begin all evaluations anew; and allows dual-hatting of Chief 
Information Officers and Chief Information Security Officers. 
Thus, the Committee believes the FISMA reforms in S. 3480 will 
drastically decrease burdensome requirements contained in 
current law, and that any obligations imposed on federal 
agencies would be less than that associated with S. 3474.
    The Committee also questions the cost estimate for the 
White House Office of Cyberspace Policy. This office will 
oversee federal cyberspace activities to ensure efficiency and 
coordination across the federal government, but it will not 
have an operational role. The Committee expects the Office to 
be staffed in a manner similar to the National Security Staff--
with a mix of full-time employees and detailees--but with a 
significantly smaller headcount. The Committee does not believe 
that the estimated cost for the Office of Cyberspace Policy 
should be two times the current budget for the entire National 
Security Staff.

       VII. Changes in Existing Law Made by the Bill as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, the following changes in existing 
law made by the bill, as reported, are shown as follows 
(existing law proposed to be omitted is enclosed in black 
brackets, new matter is printed in italic, existing law in 
which no change is proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 44--PUBLIC PRINTING AND DOCUMENTS

           *       *       *       *       *       *       *


CHAPTER 35--CORDINATION OF FEDERAL INFORMATION POLICY

           *       *       *       *       *       *       *



SUBCHAPTER II--INFORMATION SECURITY

           *       *       *       *       *       *       *



[Sec. 3531. Purposes

    [The purposes of this subchapter are to--
          [(1) provide a comprehensive framework for ensuring 
        the effectiveness of information security controls over 
        information resources that support Federal operations 
        and assets;
          [(2) recognize the highly networked nature of the 
        current Federal computing environment and provide 
        effective government wide management and oversight of 
        the related information security risks, including 
        coordination of information security efforts throughout 
        the civilian, national security, and law enforcement 
        communities;
          [(3) provide for development and maintenance of 
        minimum controls required to protect Federal 
        information and information systems;
          [(4) provide a mechanism for improved oversight of 
        Federal agency information security programs;
          [(5) acknowledge that commercially developed 
        information security products offer advanced, dynamic, 
        robust, and effective information security solutions, 
        reflecting market solutions for the protection of 
        critical information infrastructures important to the 
        national defense and economic security of the nation 
        that are designed, built, and operated by the private 
        sector; and
          [(6) recognize that the selection of specific 
        technical hardware and software information security 
        solutions should be left to individual agencies from 
        among commercially developed products.

[Sec. 3532. Definitions

    [(a) In General.--Except as provided under subsection (b), 
the definitions under section 3502 shall apply to this 
subchapter.
    [(b) Additional Definitions.--As used in this subchapter--
          [(1) the term ``information security'' means 
        protecting information and information systems from 
        unauthorized access, use, disclosure, disruption, 
        modification, or destruction in order to provide--
                  [(A) integrity, which means guarding against 
                improper information modification or 
                destruction, and includes ensuring information 
                nonrepudiation and authenticity;
                  [(B) confidentiality, which means preserving 
                authorized restrictions on access and 
                disclosure, including means for protecting 
                personal privacy and proprietary information;
                  [(C) availability, which means ensuring 
                timely and reliable access to and use of 
                information; and
                  [(D) authentication, which means utilizing 
                digital credentials to assure the identity of 
                users and validate their access;
          [(2) the term ``national security system'' means any 
        information system (including any telecommunications 
        system) used or operated by an agency or by a 
        contractor of an agency, or other organization on 
        behalf of an agency, the function, operation, or use of 
        which--
                  [(A) involves intelligence activities;
                  [(B) involves cryptologic activities related 
                to national security;
                  [(C) involves command and control of military 
                forces;
                  [(D) involves equipment that is an integral 
                part of a weapon or weapons system; or
                  [(E) is critical to the direct fulfillment of 
                military or intelligence missions provided that 
                this definition does not apply to a system that 
                is used for routine administrative and business 
                applications (including payroll, finance, 
                logistics, and personnel management 
                applications);
          [(3) the term ``information technology'' has the 
        meaning given that term in section 11101 of title 40; 
        and
          [(4) the term ``information system'' means any 
        equipment or interconnected system or subsystems of 
        equipment that is used in the automatic acquisition, 
        storage, manipulation, management, movement, control, 
        display, switching, interchange, transmission, or 
        reception of data or information, and includes--
                  [(A) computers and computer networks;
                  [(B) ancillary equipment;
                  [(C) software, firmware, and related 
                procedures;
                  [(D) services, including support services; 
                and
                  [(E) related resources.

[Sec. 3533. Authority and functions of the Director

    [(a) The Director shall oversee agency information security 
policies and practices, by--
          [(1) promulgating information security standards 
        under section 11331 of title 40;
          [(2) overseeing the implementation of policies, 
        principles, standards, and guidelines on information 
        security;
          [(3) requiring agencies, consistent with the 
        standards promulgated under such section 11331 and the 
        requirements of this subchapter, to identify and 
        provide information security protections commensurate 
        with the risk and magnitude of the harm resulting from 
        the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of--
                  [(A) information collected or maintained by 
                or on behalf of an agency; or
                  [(B) information systems used or operated by 
                an agency or by a contractor of an agency or 
                other organization on behalf of an agency;
          [(4) coordinating the development of standards and 
        guidelines under section 20 of the National Institute 
        of Standards and Technology Act (15 U.S.C. 278g-3) with 
        agencies and offices operating or exercising control of 
        national security systems (including the National 
        Security Agency) to assure, to the maximum extent 
        feasible, that such standards and guidelines are 
        complementary with standards and guidelines developed 
        for national security systems;
          [(5) overseeing agency compliance with the 
        requirements of this subchapter, including through any 
        authorized action under section 11303(b)(5)of title 40, 
        to enforce accountability for compliance with such 
        requirements;
          [(6) reviewing at least annually, and approving or 
        disapproving, agency information security programs 
        required under section 3534(b);
          [(7) coordinating information security policies and 
        procedures with related information resources 
        management policies and procedures; and
          [(8) reporting to Congress no later than March 1 of 
        each year on agency compliance with the requirements of 
        this subchapter, including--
                  [(A) a summary of the findings of evaluations 
                required by section 3535;
                  [(B) significant deficiencies in agency 
                information security practices;
                  [(C) planned remedial action to address such 
                deficiencies; and
                  [(D) a summary of, and the views of the 
                Director on, the report prepared by the 
                National Institute of Standards and Technology 
                under section 20(d)(9) of the National 
                Institute of Standards and Technology Act (15 
                U.S.C. 278g-3).
    [(b) Except for the authorities described in paragraphs (4) 
and (7) of subsection (a), the authorities of the Director 
under this section shall not apply to national security 
systems.

[Sec. 3534. Federal agency responsibilities

    [(a) The head of each agency shall--
          [(1) be responsible for--
                  [(A)providing information security 
                protections commensurate with the risk and 
                magnitude of the harm resulting from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                          [(i) information collected or 
                        maintained by or on behalf of the 
                        agency; and
                          [(ii) information systems used or 
                        operated by an agency or by a 
                        contractor of an agency or other 
                        organization on behalf of an agency;
                  [(B) complying with the requirements of this 
                subchapter and related policies, procedures, 
                standards, and guidelines, including--
                          [(i) information security standards 
                        promulgated by the Director under 
                        section 11331 of title 40; and
                          [(ii) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President; and
                  [(C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes;
          [(2) ensure that senior agency officials provide 
        information security for the information and 
        information systems that support the operations and 
        assets under their control, including through--
                  [(A) assessing the risk and magnitude of the 
                harm that could result from the unauthorized 
                access, use, disclosure, disruption, 
                modification, or destruction of such 
                information or information systems;
                  [(B) determining the levels of information 
                security appropriate to protect such 
                information and information systems in 
                accordance with standards promulgated under 
                section 11331 of title 40 for information 
                security classifications and related 
                requirements;
                  [(C) implementing policies and procedures to 
                cost-effectively reduce risks to an acceptable 
                level; and
                  [(D) periodically testing and evaluating 
                information security controls and techniques to 
                ensure that they are effectively implemented;
          [(3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official 
        in an agency not covered by such section) the authority 
        to ensure compliance with the requirements imposed on 
        the agency under this subchapter, including--
                  [(A) designating a senior agency information 
                security officer who shall--
                          [(i) carry out the Chief Information 
                        Officer's responsibilities under this 
                        section;
                          [(ii) possess professional 
                        qualifications, including training and 
                        experience, required to administer the 
                        functions described under this section;
                          [(iii) have information security 
                        duties as that official's primary duty; 
                        and
                          [(iv) head an office with the mission 
                        and resources to assist in ensuring 
                        agency compliance with this section;
                  [(B) developing and maintaining an agencywide 
                information security program as required by 
                subsection (b);
                  [(C) developing and maintaining information 
                security policies, procedures, and control 
                techniques to address all applicable 
                requirements, including those issued under 
                section 3533 of this title, and section 11331 
                of title 40;
                  [(D) training and overseeing personnel with 
                significant responsibilities for information 
                security with respect to such responsibilities; 
                and
                  [(E) assisting senior agency officials 
                concerning their responsibilities under 
                paragraph (2);
          [(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines; and
          [(5) ensure that the agency Chief Information 
        Officer, in coordination with other senior agency 
        officials, reports annually to the agency head on the 
        effectiveness of the agency information security 
        program, including progress of remedial actions.
    [(b) Each agency shall develop, document, and implement an 
agencywide information security program, approved by the 
Director under section 3533(a)(5), to provide information 
security for the information and information systems that 
support the operations and assets of the agency, including 
those provided or managed by another agency, contractor, or 
other source, that includes--
          [(1) periodic assessments of the risk and magnitude 
        of the harm that could result from the unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction of information and information systems that 
        support the operations and assets of the agency;
          [(2) policies and procedures that--
                  [(A) are based on the risk assessments 
                required by paragraph (1);
                  [(B) cost-effectively reduce information 
                security risks to an acceptable level;
                  [(C) ensure that information security is 
                addressed throughout the life cycle of each 
                agency information system; and
                  [(D) ensure compliance with--
                          [(i) the requirements of this 
                        subchapter;
                          [(ii) policies and procedures as may 
                        be prescribed by the Director, and 
                        information security standards 
                        promulgated under section 11331 of 
                        title 40;
                          [(iii) minimally acceptable system 
                        configuration requirements, as 
                        determined by the agency; and
                          [(iv) any other applicable 
                        requirements, including standards and 
                        guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
          [(3) subordinate plans for providing adequate 
        information security for networks, facilities, and 
        systems or groups of information systems, as 
        appropriate;
          [(4) security awareness training to inform personnel, 
        including contractors and other users of information 
        systems that support the operations and assets of the 
        agency, of--
                  [(A) information security risks associated 
                with their activities; and
                  [(B) their responsibilities in complying with 
                agency policies and procedures designed to 
                reduce these risks;
          [(5) periodic testing and evaluation of the 
        effectiveness of information security policies, 
        procedures, and practices, to be performed with a 
        frequency depending on risk, but no less than annually, 
        of which such testing--
                  [(A) shall include testing of management, 
                operational, and technical controls of every 
                information system identified in the inventory 
                required under section 3505 (c); and
                  [(B) may include testing relied on in a [1] 
                evaluation under section 3535;
          [(6) a process for planning, implementing, 
        evaluating, and documenting remedial action to address 
        any deficiencies in the information security policies, 
        procedures, and practices of the agency;
          [(7) procedures for detecting, reporting, and 
        responding to security incidents, including--
                  [(A) mitigating risks associated with such 
                incidents before substantial damage is done; 
                and
                  [(B) notifying and consulting with, as 
                appropriate--
                          [(i) law enforcement agencies and 
                        relevant Offices of Inspector General;
                          [(ii) an office designated by the 
                        President for any incident involving a 
                        national security system; and
                          [(iii) any other agency or office, in 
                        accordance with law or as directed by 
                        the President; and
          [(8) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency.
    [(c) Each agency shall--
          [(1) report annually to the Director, the Committees 
        on Government Reform and Science of the House of 
        Representatives, the Committees on Governmental Affairs 
        and Commerce, Science, and Transportation of the 
        Senate, the appropriate authorization and 
        appropriations committees of Congress, and the 
        Comptroller General on the adequacy and effectiveness 
        of information security policies, procedures, and 
        practices, and compliance with the requirements of this 
        subchapter, including compliance with each requirement 
        of subsection (b);
          [(2) address the adequacy and effectiveness of 
        information security policies, procedures, and 
        practices in plans and reports relating to--
                  [(A) annual agency budgets;
                  [(B) information resources management under 
                subchapter 1 [2] of this chapter;
                  [(C) information technology management under 
                subtitle III of title 40;
                  [(D) program performance under sections 1105 
                and 1115 through 1119 of title 31, and sections 
                2801 and 2805 of title 39;
                  [(E) financial management under chapter 9 of 
                title 31, and the Chief Financial Officers Act 
                of 1990 (31 U.S.C. 501 note; Public Law 101-
                576) (and the amendments made by that Act);
                  [(F) financial management systems under the 
                Federal Financial Management Improvement Act 
                (31 U.S.C. 3512 note); and
                  [(G) internal accounting and administrative 
                controls under section 3512 of title 31, United 
                States Code,[3] (known as the ``Federal 
                Managers Financial Integrity Act''); and
          [(3) report any significant deficiency in a policy, 
        procedure, or practice identified under paragraph (1) 
        or (2)--
                  [(A) as a material weakness in reporting 
                under section 3512 of title 31; and
                  [(B) if relating to financial management 
                systems, as an instance of a lack of 
                substantial compliance under the Federal 
                Financial Management Improvement Act (31 U.S.C. 
                3512 note).
    [(d)(1) In addition to the requirements of subsection (c), 
each agency, in consultation with the Director, shall include 
as part of the performance plan required under section 1115 of 
title 31 a description of--
          [(A) the time periods; and
          [(B) the resources, including budget, staffing, and 
        training, that are necessary to implement the program 
        required under subsection (b).
    [(2) The description under paragraph (1) shall be based on 
the risk assessments required under subsection (b)(2)(1).
    [(e) Each agency shall provide the public with timely 
notice and opportunities for comment on proposed information 
security policies and procedures to the extent that such 
policies and procedures affect communication with the public.

[Sec. 3535. Annual independent evaluation

    [(a)(1) Each year each agency shall have performed an 
independent evaluation of the information security program and 
practices of that agency to determine the effectiveness of such 
program and practices.
    [(2) Each evaluation by an agency under this section shall 
include--
          [(A) testing of the effectiveness of information 
        security policies, procedures, and practices of a 
        representative subset of the agency's information 
        systems;
          [(B) an assessment (made on the basis of the results 
        of the testing) of compliance with--
                  [(i) the requirements of this subchapter; and
                  [(ii) related information security policies, 
                procedures, standards, and guidelines; and
          [(C) separate presentations, as appropriate, 
        regarding information security relating to national 
        security systems.
    [(b) Subject to subsection (c)--
          [(1) for each agency with an Inspector General 
        appointed under the Inspector General Act of 1978 or 
        any other law, the annual evaluation required by this 
        section shall be performed by the Inspector General or 
        by an independent external auditor, as determined by 
        the Inspector General of the agency; and
          [(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an 
        independent external auditor to perform the evaluation.
    [(c) For each agency operating or exercising control of a 
national security system, that portion of the evaluation 
required by this section directly relating to a national 
security system shall be performed--
          [(1) only by an entity designated by the agency head; 
        and
          [(2) in such a manner as to ensure appropriate 
        protection for information associated with any 
        information security vulnerability in such system 
        commensurate with the risk and in accordance with all 
        applicable laws.
    [(d) The evaluation required by this section--
          [(1) shall be performed in accordance with generally 
        accepted government auditing standards; and
          [(2) may be based in whole or in part on an audit, 
        evaluation, or report relating to programs or practices 
        of the applicable agency.
    [(e) Each year, not later than such date established by the 
Director, the head of each agency shall submit to the Director 
the results of the evaluation required under this section.
    [(f) Agencies and evaluators shall take appropriate steps 
to ensure the protection of information which, if disclosed, 
may adversely affect information security. Such protections 
shall be commensurate with the risk and comply with all 
applicable laws and regulations.
    [(g)(1) The Director shall summarize the results of the 
evaluations conducted under this section in the report to 
Congress required under section 3533(a)(8).
    [(2) The Director's report to Congress under this 
subsection shall summarize information regarding information 
security relating to national security systems in such a manner 
as to ensure appropriate protection for information associated 
with any information security vulnerability in such system 
commensurate with the risk and in accordance with all 
applicable laws.
    [(3) Evaluations and any other descriptions of information 
systems under the authority and control of the Director of 
Central Intelligence or of National Foreign Intelligence 
Programs systems under the authority and control of the 
Secretary of Defense shall be made available to Congress only 
through the appropriate oversight committees of Congress, in 
accordance with applicable laws.
    [(h) The Comptroller General shall periodically evaluate 
and report to Congress on--
          [(1) the adequacy and effectiveness of agency 
        information security policies and practices; and
          [(2) implementation of the requirements of this 
        subchapter.

[Sec. 3536. National security systems

    [The head of each agency operating or exercising control of 
a national security system shall be responsible for ensuring 
that the agency--
          [(1) provides information security protections 
        commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        the information contained in such system;
          [(2) implements information security policies and 
        practices as required by standards and guidelines for 
        national security systems, issued in accordance with 
        law and as directed by the President; and
          [(3) complies with the requirements of this 
        subchapter.

[Sec. 3537. Authorization of appropriations

    [There are authorized to be appropriated to carry out the 
provisions of this subchapter such sums as may be necessary for 
each of fiscal years 2003 through 2007.

[Sec. 3538. Effect on existing law

    [Nothing in this subchapter, section 11331 of title 40, or 
section 20 of the National Standards[\1\] and Technology Act 
(15 U.S.C. 278g-3) may be construed as affecting the authority 
of the President, the Office of Management and Budget or the 
Director thereof, the National Institute of Standards and 
Technology, or the head of any agency, with respect to the 
authorized use or disclosure of information, including with 
regard to the protection of personal privacy under section 552a 
of title 5, the disclosure of information under section 552 of 
title 5, the management and disposition of records under 
chapters 29, 31, or 33 of title 44, the management of 
information resources under subchapter I of chapter 35 of this 
title, or the disclosure of information to Congress or the 
Comptroller General of the United States.]

           *       *       *       *       *       *       *


SUBCHAPTER III--INFORMATION SECURITY

           *       *       *       *       *       *       *



[Sec. 3541. Purposes

    [The purposes of this subchapter are to--
          [(1) provide a comprehensive framework for ensuring 
        the effectiveness of information security controls over 
        information resources that support Federal operations 
        and assets;
          [(2) recognize the highly networked nature of the 
        current Federal computing environment and provide 
        effective governmentwide management and oversight of 
        the related information security risks, including 
        coordination of information security efforts throughout 
        the civilian, national security, and law enforcement 
        communities;
          [(3) provide for development and maintenance of 
        minimum controls required to protect Federal 
        information and information systems;
          [(4) provide a mechanism for improved oversight of 
        Federal agency information security programs;
          [(5) acknowledge that commercially developed 
        information security products offer advanced, dynamic, 
        robust, and effective information security solutions, 
        reflecting market solutions for the protection of 
        critical information infrastructures important to the 
        national defense and economic security of the nation 
        that are designed, built, and operated by the private 
        sector; and
          [(6) recognize that the selection of specific 
        technical hardware and software information security 
        solutions should be left to individual agencies from 
        among commercially developed products.

[Sec. 3542. Definitions

    [(a) In General.--Except as provided under subsection (b), 
the definitions under section 3502 shall apply to this 
subchapter.
    [(b) Additional Definitions.--As used in this subchapter:
          [(1) The term ``information security'' means 
        protecting information and information systems from 
        unauthorized access, use, disclosure, disruption, 
        modification, or destruction in order to provide--
                  [(A) integrity, which means guarding against 
                improper information modification or 
                destruction, and includes ensuring information 
                nonrepudiation and authenticity;
                  [(B) confidentiality, which means preserving 
                authorized restrictions on access and 
                disclosure, including means for protecting 
                personal privacy and proprietary information; 
                and
                  [(C) availability, which means ensuring 
                timely and reliable access to and use of 
                information.
          [(2)(A) The term ``national security system'' means 
        any information system (including any 
        telecommunications system) used or operated by an 
        agency or by a contractor of an agency, or other 
        organization on behalf of an agency--
                  [(i) the function, operation, or use of 
                which--
                          [(I) involves intelligence 
                        activities;
                          [(II) involves cryptologic activities 
                        related to national security;
                          [(III) involves command and control 
                        of military forces;
                          [(IV) involves equipment that is an 
                        integral part of a weapon or weapons 
                        system; or
                          [(V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of 
                        military or intelligence missions; or
                  [(ii) is protected at all times by procedures 
                established for information that have been 
                specifically authorized under criteria 
                established by an Executive order or an Act of 
                Congress to be kept classified in the interest 
                of national defense or foreign policy.
          [(B) Subparagraph (A)(i)(V) does not include a system 
        that is to be used for routine administrative and 
        business applications (including payroll, finance, 
        logistics, and personnel management applications).
          [(3) The term ``information technology'' has the 
        meaning given that term in section 11101 of title 40.

[Sec. 3543. Authority and functions of the Director

    [(a) In General.--The Director shall oversee agency 
information security policies and practices, including--
          [(1) developing and overseeing the implementation of 
        policies, principles, standards, and guidelines on 
        information security, including through ensuring timely 
        agency adoption of and compliance with standards 
        promulgated under section 11331 of title 40;
          [(2) requiring agencies, consistent with the 
        standards promulgated under such section 11331 and the 
        requirements of this subchapter, to identify and 
        provide information security protections commensurate 
        with the risk and magnitude of the harm resulting from 
        the unauthorized access, use, disclosure, disruption, 
        modification, or destruction of--
                  [(A) information collected or maintained by 
                or on behalf of an agency; or
                  [(B) information systems used or operated by 
                an agency or by a contractor of an agency or 
                other organization on behalf of an agency;
          [(3) coordinating the development of standards and 
        guidelines under section 20 of the National Institute 
        of Standards and Technology Act (15 U.S.C. 278g-3) with 
        agencies and offices operating or exercising control of 
        national security systems (including the National 
        Security Agency) to assure, to the maximum extent 
        feasible, that such standards and guidelines are 
        complementary with standards and guidelines developed 
        for national security systems;
          [(4) overseeing agency compliance with the 
        requirements of this subchapter, including through any 
        authorized action under section 11303 of title 40, to 
        enforce accountability for compliance with such 
        requirements;
          [(5) reviewing at least annually, and approving or 
        disapproving, agency information security programs 
        required under section 3544 (b);
          [(6) coordinating information security policies and 
        procedures with related information resources 
        management policies and procedures;
          [(7) overseeing the operation of the Federal 
        information security incident center required under 
        section 3546; and
          [(8) reporting to Congress no later than March 1 of 
        each year on agency compliance with the requirements of 
        this subchapter, including--
                  [(A) a summary of the findings of evaluations 
                required by section 3545;
                  [(B) an assessment of the development, 
                promulgation, and adoption of, and compliance 
                with, standards developed under section 20 of 
                the National Institute of Standards and 
                Technology Act (15 U.S.C. 278g-3) and 
                promulgated under section 11331 of title 40;
                  [(C) significant deficiencies in agency 
                information security practices;
                  [(D) planned remedial action to address such 
                deficiencies; and
                  [(E) a summary of, and the views of the 
                Director on, the report prepared by the 
                National Institute of Standards and Technology 
                under section 20(d)(10) of the National 
                Institute of Standards and Technology Act (15 
                U.S.C. 278g-3).
    [(b) National Security Systems.--Except for the authorities 
described in paragraphs (4) and (8) of subsection (a), the 
authorities of the Director under this section shall not apply 
to national security systems.
    [(c) Department of Defense and Central Intelligence Agency 
Systems.--
          [(1) The authorities of the Director described in 
        paragraphs (1) and (2) of subsection (a) shall be 
        delegated to the Secretary of Defense in the case of 
        systems described in paragraph (2) and to the Director 
        of Central Intelligence in the case of systems 
        described in paragraph (3).
          [(2) The systems described in this paragraph are 
        systems that are operated by the Department of Defense, 
        a contractor of the Department of Defense, or another 
        entity on behalf of the Department of Defense that 
        processes any information the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        which would have a debilitating impact on the mission 
        of the Department of Defense.
          [(3) The systems described in this paragraph are 
        systems that are operated by the Central Intelligence 
        Agency, a contractor of the Central Intelligence 
        Agency, or another entity on behalf of the Central 
        Intelligence Agency that processes any information the 
        unauthorized access, use, disclosure, disruption, 
        modification, or destruction of which would have a 
        debilitating impact on the mission of the Central 
        Intelligence Agency.

[Sec. 3544. Federal agency responsibilities

    [(a) In General.--The head of each agency shall--
          [(1) be responsible for--
                  [(A) providing information security 
                protections commensurate with the risk and 
                magnitude of the harm resulting from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                          [(i) information collected or 
                        maintained by or on behalf of the 
                        agency; and
                          [(ii) information systems used or 
                        operated by an agency or by a 
                        contractor of an agency or other 
                        organization on behalf of an agency;
                  [(B) complying with the requirements of this 
                subchapter and related policies, procedures, 
                standards, and guidelines, including--
                          [(i) information security standards 
                        promulgated under section 11331 of 
                        title 40; and
                          [(ii) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President; and
                  [(C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes;
          [(2) ensure that senior agency officials provide 
        information security for the information and 
        information systems that support the operations and 
        assets under their control, including through--
                  [(A) assessing the risk and magnitude of the 
                harm that could result from the unauthorized 
                access, use, disclosure, disruption, 
                modification, or destruction of such 
                information or information systems;
                  [(B) determining the levels of information 
                security appropriate to protect such 
                information and information systems in 
                accordance with standards promulgated under 
                section 11331 of title 40, for information 
                security classifications and related 
                requirements;
                  [(C) implementing policies and procedures to 
                cost-effectively reduce risks to an acceptable 
                level; and
                  [(D) periodically testing and evaluating 
                information security controls and techniques to 
                ensure that they are effectively implemented;
          [(3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official 
        in an agency not covered by such section) the authority 
        to ensure compliance with the requirements imposed on 
        the agency under this subchapter, including--
                  [(A) designating a senior agency information 
                security officer who shall--
                          [(i) carry out the Chief Information 
                        Officer's responsibilities under this 
                        section;
                          [(ii) possess professional 
                        qualifications, including training and 
                        experience, required to administer the 
                        functions described under this section;
                          [(iii) have information security 
                        duties as that official's primary duty; 
                        and
                          [(iv) head an office with the mission 
                        and resources to assist in ensuring 
                        agency compliance with this section;
                  [(B) developing and maintaining an agencywide 
                information security program as required by 
                subsection (b);
                  [(C) developing and maintaining information 
                security policies, procedures, and control 
                techniques to address all applicable 
                requirements, including those issued under 
                section 3543 of this title, and section 11331 
                of title 40;
                  [(D) training and overseeing personnel with 
                significant responsibilities for information 
                security with respect to such responsibilities; 
                and
                  [(E) assisting senior agency officials 
                concerning their responsibilities under 
                paragraph (2);
          [(4) ensure that the agency has trained personnel 
        sufficient to assist the agency in complying with the 
        requirements of this subchapter and related policies, 
        procedures, standards, and guidelines; and
          [(5) ensure that the agency Chief Information 
        Officer, in coordination with other senior agency 
        officials, reports annually to the agency head on the 
        effectiveness of the agency information security 
        program, including progress of remedial actions.
    [(b) Agency Program.--Each agency shall develop, document, 
and implement an agencywide information security program, 
approved by the Director under section 3543(a)(5), to provide 
information security for the information and information 
systems that support the operations and assets of the agency, 
including those provided or managed by another agency, 
contractor, or other source, that includes--
          [(1) periodic assessments of the risk and magnitude 
        of the harm that could result from the unauthorized 
        access, use, disclosure, disruption, modification, or 
        destruction of information and information systems that 
        support the operations and assets of the agency;
          [(2) policies and procedures that--
                  [(A) are based on the risk assessments 
                required by paragraph (1);
                  [(B) cost-effectively reduce information 
                security risks to an acceptable level;
                  [(C) ensure that information security is 
                addressed throughout the life cycle of each 
                agency information system; and
                  [(D) ensure compliance with--
                          [(i) the requirements of this 
                        subchapter;
                          [(ii) policies and procedures as may 
                        be prescribed by the Director, and 
                        information security standards 
                        promulgated under section 11331 of 
                        title 40;
                          [(iii) minimally acceptable system 
                        configuration requirements, as 
                        determined by the agency; and
                          [(iv) any other applicable 
                        requirements, including standards and 
                        guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
          [(3) subordinate plans for providing adequate 
        information security for networks, facilities, and 
        systems or groups of information systems, as 
        appropriate;
          [(4) security awareness training to inform personnel, 
        including contractors and other users of information 
        systems that support the operations and assets of the 
        agency, of--
                  [(A) information security risks associated 
                with their activities; and
                  [(B) their responsibilities in complying with 
                agency policies and procedures designed to 
                reduce these risks;
          [(5) periodic testing and evaluation of the 
        effectiveness of information security policies, 
        procedures, and practices, to be performed with a 
        frequency depending on risk, but no less than annually, 
        of which such testing--
                  [(A) shall include testing of management, 
                operational, and technical controls of every 
                information system identified in the inventory 
                required under section 3505 (c); and
                  [(B) may include testing relied on in an 
                evaluation under section 3545;
          [(6) a process for planning, implementing, 
        evaluating, and documenting remedial action to address 
        any deficiencies in the information security policies, 
        procedures, and practices of the agency;
          [(7) procedures for detecting, reporting, and 
        responding to security incidents, consistent with 
        standards and guidelines issued pursuant to section 
        3546 (b), including--
                  [(A) mitigating risks associated with such 
                incidents before substantial damage is done;
                  [(B) notifying and consulting with the 
                Federal information security incident center 
                referred to in section 3546; and
                  [(C) notifying and consulting with, as 
                appropriate--
                          [(i) law enforcement agencies and 
                        relevant Offices of Inspector General;
                          [(ii) an office designated by the 
                        President for any incident involving a 
                        national security system; and
                          [(iii) any other agency or office, in 
                        accordance with law or as directed by 
                        the President; and
                  [(8) plans and procedures to ensure 
                continuity of operations for information 
                systems that support the operations and assets 
                of the agency.
    [(c) Agency Reporting.--Each agency shall--
          [(1) report annually to the Director, the Committees 
        on Government Reform and Science of the House of 
        Representatives, the Committees on Governmental Affairs 
        and Commerce, Science, and Transportation of the 
        Senate, the appropriate authorization and 
        appropriations committees of Congress, and the 
        Comptroller General on the adequacy and effectiveness 
        of information security policies, procedures, and 
        practices, and compliance with the requirements of this 
        subchapter, including compliance with each requirement 
        of subsection (b);
          [(2) address the adequacy and effectiveness of 
        information security policies, procedures, and 
        practices in plans and reports relating to--
                  [(A) annual agency budgets;
                  [(B) information resources management under 
                subchapter 1 of this chapter;
                  [(C) information technology management under 
                subtitle III of title 40;
                  [(D) program performance under sections 1105 
                and 1115 through 1119 of title 31, and sections 
                2801 and 2805 of title 39;
                  [(E) financial management under chapter 9 of 
                title 31, and the Chief Financial Officers Act 
                of 1990 (31 U.S.C. 501 note; Public Law 101-
                576) (and the amendments made by that Act);
                  [(F) financial management systems under the 
                Federal Financial Management Improvement Act 
                (31 U.S.C. 3512 note); and
                  [(G) internal accounting and administrative 
                controls under section 3512 of title 31, (known 
                as the ``Federal Managers Financial Integrity 
                Act''); and
          [(3) report any significant deficiency in a policy, 
        procedure, or practice identified under paragraph (1) 
        or (2)--
                  [(A) as a material weakness in reporting 
                under section 3512 of title 31; and
                  [(B) if relating to financial management 
                systems, as an instance of a lack of 
                substantial compliance under the Federal 
                Financial Management Improvement Act (31 U.S.C. 
                3512 note).
    [(d) Performance Plan.--
          [(1) In addition to the requirements of subsection 
        (c), each agency, in consultation with the Director, 
        shall include as part of the performance plan required 
        under section 1115 of title 31 a description of--
                  [(A) the time periods, and
                  [(B) the resources, including budget, 
                staffing, and training, that are necessary to 
                implement the program required under subsection 
                (b).
          [(2) The description under paragraph (1) shall be 
        based on the risk assessments required under subsection 
        (b)(2)(1).
    [(e) Public Notice and Comment.--Each agency shall provide 
the public with timely notice and opportunities for comment on 
proposed information security policies and procedures to the 
extent that such policies and procedures affect communication 
with the public.

[Sec.  3545. Annual independent evaluation

    [(a) In General.--
          [(1) Each year each agency shall have performed an 
        independent evaluation of the information security 
        program and practices of that agency to determine the 
        effectiveness of such program and practices.
          [(2) Each evaluation under this section shall 
        include--
                  [(A) testing of the effectiveness of 
                information security policies, procedures, and 
                practices of a representative subset of the 
                agency's information systems;
                  [(B) an assessment (made on the basis of the 
                results of the testing) of compliance with--
                          [(i) the requirements of this 
                        subchapter; and
                          [(ii) related information security 
                        policies, procedures, standards, and 
                        guidelines; and
                  [(C) separate presentations, as appropriate, 
                regarding information security relating to 
                national security systems.
    [(b) Independent Auditor.--Subject to subsection (c)--
          [(1) for each agency with an Inspector General 
        appointed under the Inspector General Act of 1978 or 
        any other law, the annual evaluation required by this 
        section shall be performed by the Inspector General or 
        by an independent external auditor, as determined by 
        the Inspector General of the agency; and
          [(2) for each agency to which paragraph (1) does not 
        apply, the head of the agency shall engage an 
        independent external auditor to perform the evaluation.
    [(c) National Security Systems.--For each agency operating 
or exercising control of a national security system, that 
portion of the evaluation required by this section directly 
relating to a national security system shall be performed--
          [(1) only by an entity designated by the agency head; 
        and
          [(2) in such a manner as to ensure appropriate 
        protection for information associated with any 
        information security vulnerability in such system 
        commensurate with the risk and in accordance with all 
        applicable laws.
    [(d) Existing Evaluations.--The evaluation required by this 
section may be based in whole or in part on an audit, 
evaluation, or report relating to programs or practices of the 
applicable agency.
    [(e) Agency Reporting.--
          [(1) Each year, not later than such date established 
        by the Director, the head of each agency shall submit 
        to the Director the results of the evaluation required 
        under this section.
          [(2) To the extent an evaluation required under this 
        section directly relates to a national security system, 
        the evaluation results submitted to the Director shall 
        contain only a summary and assessment of that portion 
        of the evaluation directly relating to a national 
        security system.
    [(f) Protection of Information.--Agencies and evaluators 
shall take appropriate steps to ensure the protection of 
information which, if disclosed, may adversely affect 
information security. Such protections shall be commensurate 
with the risk and comply with all applicable laws and 
regulations.
    [(g) OMB Reports to Congress.--
          [(1) The Director shall summarize the results of the 
        evaluations conducted under this section in the report 
        to Congress required under section 3543(a)(8).
          [(2) The Director's report to Congress under this 
        subsection shall summarize information regarding 
        information security relating to national security 
        systems in such a manner as to ensure appropriate 
        protection for information associated with any 
        information security vulnerability in such system 
        commensurate with the risk and in accordance with all 
        applicable laws.
          [(3) Evaluations and any other descriptions of 
        information systems under the authority and control of 
        the Director of Central Intelligence or of National 
        Foreign Intelligence Programs systems under the 
        authority and control of the Secretary of Defense shall 
        be made available to Congress only through the 
        appropriate oversight committees of Congress, in 
        accordance with applicable laws.
    [(h) Comptroller General.--The Comptroller General shall 
periodically evaluate and report to Congress on--
          [(1) the adequacy and effectiveness of agency 
        information security policies and practices; and
          [(2) implementation of the requirements of this 
        subchapter.

[Sec.  3546. Federal information security incident center

    [(a) In General.-- The Director shall ensure the operation 
of a central Federal information security incident center to--
          [(1) provide timely technical assistance to operators 
        of agency information systems regarding security 
        incidents, including guidance on detecting and handling 
        information security incidents;
          [(2) compile and analyze information about incidents 
        that threaten information security;
          [(3) inform operators of agency information systems 
        about current and potential information security 
        threats, and vulnerabilities; and
          [(4) consult with the National Institute of Standards 
        and Technology, agencies or offices operating or 
        exercising control of national security systems 
        (including the National Security Agency), and such 
        other agencies or offices in accordance with law and as 
        directed by the President regarding information 
        security incidents and related matters.
    [(b) National Security Systems.--Each agency operating or 
exercising control of a national security system shall share 
information about information security incidents, threats, and 
vulnerabilities with the Federal information security incident 
center to the extent consistent with standards and guidelines 
for national security systems, issued in accordance with law 
and as directed by the President.

[Sec.  3547. National security systems

    [The head of each agency operating or exercising control of 
a national security system shall be responsible for ensuring 
that the agency--
          [(1) provides information security protections 
        commensurate with the risk and magnitude of the harm 
        resulting from the unauthorized access, use, 
        disclosure, disruption, modification, or destruction of 
        the information contained in such system;
          [(2) implements information security policies and 
        practices as required by standards and guidelines for 
        national security systems, issued in accordance with 
        law and as directed by the President; and
          [(3) complies with the requirements of this 
        subchapter.

[Sec.  3548. Authorization of appropriations

    [There are authorized to be appropriated to carry out the 
provisions of this subchapter such sums as may be necessary for 
each of fiscal years 2003 through 2007.

[Sec.  3549. Effect on existing law

    [Nothing in this subchapter, section 11331 of title 40, or 
section 20 of the National Standards and Technology Act (15 
U.S.C. 278g-3) may be construed as affecting the authority of 
the President, the Office of Management and Budget or the 
Director thereof, the National Institute of Standards and 
Technology, or the head of any agency, with respect to the 
authorized use or disclosure of information, including with 
regard to the protection of personal privacy under section 552a 
of title 5, the disclosure of information under section 552 of 
title 5, the management and disposition of records under 
chapters 29, 31, or 33 of title 44, the management of 
information resources under subchapter I of chapter 35 of this 
title, or the disclosure of information to the Congress or the 
Comptroller General of the United States. While this subchapter 
is in effect, subchapter II of this chapter shall not apply.]

           *       *       *       *       *       *       *


TITLE II--FEDERAL INFORMATION SECURITY MANAGEMENT

           *       *       *       *       *       *       *


SEC. 301. COORDINATION OF FEDERAL INFORMATION POLICY.

    (a) Findings--Congress finds that--
          (1) since 2002 the Federal Government has experienced 
        multiple high-profile incidents that resulted in the 
        theft of sensitive information amounting to more than 
        the entire print collection contained in the Library of 
        Congress, including personally identifiable 
        information, advanced scientific research, and 
        prenegotiated United States diplomatic positions; and
          (2) chapter 35 of title 44, United States Code, must 
        be amended to increase the coordination of Federal 
        agency activities and to enhance situational awareness 
        throughout the Federal Government using more effective 
        enterprise-wide automated monitoring, detection, and 
        response capabilities.
    (b) In General.--Chapter 35 of title 44, United States 
Code, is amended by striking subchapters II and III and 
inserting the following:

                  SUBCHAPTER II--INFORMATION SECURITY 

SEC. 3550. PURPOSES.

    The purposes of this subchapter are to--
          (1) provide a comprehensive framework for ensuring 
        the effectiveness of information security controls over 
        information resources that support the Federal 
        information infrastructure and the operations and 
        assets of agencies;
          (2) recognize the highly networked nature of the 
        current Federal information infrastructure and provide 
        effective Government-wide management and oversight of 
        the related information security risks, including 
        coordination of information security efforts throughout 
        the civilian, national security, and law enforcement 
        communities;
          (3) provide for development and maintenance of 
        prioritized and risk-based security controls required 
        to protect Federal information infrastructure and 
        information systems;
          (4) provide a mechanism for improved oversight of 
        Federal agency information security programs;
          (5) acknowledge that commercially developed 
        information security products offer advanced, dynamic, 
        robust, and effective information security solutions, 
        reflecting market solutions for the protection of 
        critical information infrastructures important to the 
        national defense and economic security of the Nation 
        that are designed, built, and operated by the private 
        sector; and
          (6) recognize that the selection of specific 
        technical hardware and software information security 
        solutions should be left to individual agencies from 
        among commercially developed products.

SEC. 3551. DEFINITIONS.

    (a) In General.--Except as provided under subsection (b), 
the definitions under section 3502 shall apply to this 
subchapter.
    (b) Additional Definitions.--In this subchapter:
          (1) The term ``agency information infrastructure''--
                  (A) means information infrastructure that is 
                owned, operated, controlled, or licensed for 
                use by, or on behalf of, an agency, including 
                information systems used or operated by another 
                entity on behalf of the agency; and
                  (B) does not include national security 
                systems.
          (2) The term ``automated and continuous monitoring'' 
        means monitoring at a frequency and sufficiency such 
        that the data exchange requires little to no human 
        involvement and is not interrupted.
          (3) The term ``incident'' means an occurrence that--
                  (A) actually or potentially jeopardizes--
                          (i) the information security of an 
                        information system; or
                          (ii) the information the system 
                        processes, stores, or transmits; or
                  (B) constitutes a violation or threat of 
                violation of security policies, security 
                procedures, or acceptable use policies.
          (4) The term ``information infrastructure'' means the 
        underlying framework that information systems and 
        assets rely on to process, transmit, receive, or store 
        information electronically, including programmable 
        electronic devices and communications networks and any 
        associated hardware, software, or data.
          (5) The term ``information security'' means 
        protecting information and information systems from 
        disruption or unauthorized access, use, disclosure, 
        modification, or destruction in order to provide--
                  (A) integrity, by guarding against improper 
                information modification or destruction, 
                including by ensuring information 
                nonrepudiation and authenticity;
                  (B) confidentiality, by preserving authorized 
                restrictions on access and disclosure, 
                including means for protecting personal privacy 
                and proprietary information; and
                  (C) availability, by ensuring timely and 
                reliable access to and use of information.
          (6) The term ``information technology'' has the 
        meaning given that term in section 11101 of title 40.
          (7) The term ``management controls'' means safeguards 
        or countermeasures for an information system that focus 
        on the management of risk and the management of 
        information system security.
          (8)(A) The term ``national security system'' means 
        any information system (including any 
        telecommunications system) used or operated by an 
        agency or by a contractor of an agency, or other 
        organization on behalf of an agency--
                  (i) the function, operation, or use of 
                which--
                          (I) involves intelligence activities;
                          (II) involves cryptologic activities 
                        related to national security;
                          (III) involves command and control of 
                        military forces;
                          (IV) involves equipment that is an 
                        integral part of a weapon or weapons 
                        system; or
                          (V) subject to subparagraph (B), is 
                        critical to the direct fulfillment of 
                        military or intelligence missions; or
                  (ii) that is protected at all times by 
                procedures established for information that 
                have been specifically authorized under 
                criteria established by an Executive order or 
                an Act of Congress to be kept classified in the 
                interest of national defense or foreign policy.
          (B) Subparagraph (A)(i)(V) does not include a system 
        that is to be used for routine administrative and 
        business applications (including payroll, finance, 
        logistics, and personnel management applications).
          (9) The term ``operational controls'' means the 
        safeguards and countermeasures for an information 
        system that are primarily implemented and executed by 
        individuals, not systems.
          (10) The term ``risk'' means the potential for an 
        unwanted outcome resulting from an incident, as 
        determined by the likelihood of the occurrence of the 
        incident and the associated consequences, including 
        potential for an adverse outcome assessed as a function 
        of threats, vulnerabilities, and consequences 
        associated with an incident.
          (11) The term ``risk-based security'' means security 
        commensurate with the risk and magnitude of harm 
        resulting from the loss, misuse, or unauthorized access 
        to, or modification, of information, including assuring 
        that systems and applications used by the agency 
        operate effectively and provide appropriate 
        confidentiality, integrity, and availability.
          (12) The term ``security controls'' means the 
        management, operational, and technical controls 
        prescribed for an information system to protect the 
        information security of the system.
          (13) The term ``technical controls'' means the 
        safeguards or countermeasures for an information system 
        that are primarily implemented and executed by the 
        information system through mechanism contained in the 
        hardware, software, or firmware components of the 
        system.

SEC. 3552. AUTHORITY AND FUNCTIONS OF THE NATIONAL CENTER FOR 
                    CYBERSECURITY AND COMMUNICATIONS.

    (a) In General.--The Director of the National Center for 
Cybersecurity and Communications shall--
          (1) develop, oversee the implementation of, and 
        enforce policies, principles, and guidelines on 
        information security, including through ensuring timely 
        agency adoption of and compliance with standards 
        developed under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) and 
        subtitle E of title II of the Homeland Security Act of 
        2002;
          (2) provide to agencies security controls that 
        agencies shall be required to be implemented to 
        mitigate and remediate vulnerabilities, attacks, and 
        exploitations discovered as a result of activities 
        required under this subchapter or subtitle E of title 
        II of the Homeland Security Act of 2002;
          (3) to the extent practicable--
                  (A) prioritize the policies, principles, 
                standards, and guidelines promulgated under 
                section 20 of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-
                3), paragraph (1), and subtitle E of title II 
                of the Homeland Security Act of 2002, based 
                upon the risk of an incident; and
                  (B) develop guidance that requires agencies 
                to monitor, including automated and continuous 
                monitoring of, the effective implementation of 
                policies, principles, standards, and guidelines 
                developed under section 20 of the National 
                Institute of Standards and Technology Act (15 
                U.S.C. 278g-3), paragraph (1), and subtitle E 
                of title II of the Homeland Security Act of 
                2002;
                  (C) ensure the effective operation of 
                technical capabilities within the National 
                Center for Cybersecurity and Communications to 
                enable automated and continuous monitoring of 
                any information collected as a result of the 
                guidance developed under subparagraph (B) and 
                use the information to enhance the risk-based 
                security of the Federal information 
                infrastructure; and
                  (D) ensure the effective operation of a 
                secure system that satisfies information 
                reporting requirements under sections 3553(c) 
                and 3556(c);
          (4) require agencies, consistent with the standards 
        developed under section 20 of the National Institute of 
        Standards and Technology Act (15 U.S.C. 278g-3) or 
        paragraph (1) and the requirements of this subchapter, 
        to identify and provide information security 
        protections commensurate with the risk resulting from 
        the disruption or unauthorized access, use, disclosure, 
        modification, or destruction of--
                  (A) information collected or maintained by or 
                on behalf of an agency; or
                  (B) information systems used or operated by 
                an agency or by a contractor of an agency or 
                other organization on behalf of an agency;
          (5) oversee agency compliance with the requirements 
        of this subchapter, including coordinating with the 
        Office of Management and Budget to use any authorized 
        action under section 11303 of title 40 to enforce 
        accountability for compliance with such requirements;
          (6) review, at least annually, and approve or 
        disapprove, agency information security programs 
        required under section 3553(b); and
          (7) coordinate information security policies and 
        procedures with the Administrator for Electronic 
        Government and the Administrator for the Office of 
        Information and Regulatory Affairs with related 
        information resources management policies and 
        procedures.
    (b) National Security Systems.--The authorities of the 
Director under this section shall not apply to national 
security systems.

SEC. 3553. AGENCY RESPONSIBILITIES.

    (a) In General.--The head of each agency shall--
          (1) be responsible for--
                  (A) providing information security 
                protections commensurate with the risk and 
                magnitude of the harm resulting from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction of--
                          (i) information collected or 
                        maintained by or on behalf of the 
                        agency; and
                          (ii) agency information 
                        infrastructure;
                  (B) complying with the requirements of this 
                subchapter and related policies, procedures, 
                standards, and guidelines, including--
                          (i) information security 
                        requirements, including security 
                        controls, developed by the Director of 
                        the National Center for Cybersecurity 
                        and Communications under section 3552, 
                        subtitle E of title II of the Homeland 
                        Security Act of 2002, or any other 
                        provision of law;
                          (ii) information security policies, 
                        principles, standards, and guidelines 
                        promulgated under section 20 of the 
                        National Institute of Standards and 
                        Technology Act (15 U.S.C. 278g-3) and 
                        section 3552(a)(1);
                          (iii) information security standards 
                        and guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President; and
                          (iv) ensuring the standards 
                        implemented for information systems and 
                        national security systems of the agency 
                        are complementary and uniform, to the 
                        extent practicable;
                  (C) ensuring that information security 
                management processes are integrated with agency 
                strategic and operational planning processes, 
                including policies, procedures, and practices 
                described in subsection (c)(1)(C);
                  (D) as appropriate, maintaining secure 
                facilities that have the capability of 
                accessing, sending, receiving, and storing 
                classified information;
                  (E) maintaining a sufficient number of 
                personnel with security clearances, at the 
                appropriate levels, to access, send, receive 
                and analyze classified information to carry out 
                the responsibilities of this subchapter; and
                  (F) ensuring that information security 
                performance indicators and measures are 
                included in the annual performance evaluations 
                of all managers, senior managers, senior 
                executive service personnel, and political 
                appointees;
          (2) ensure that senior agency officials provide 
        information security for the information and 
        information systems that support the operations and 
        assets under the control of those officials, including 
        through--
                  (A) assessing the risk and magnitude of the 
                harm that could result from the disruption or 
                unauthorized access, use, disclosure, 
                modification, or destruction of such 
                information or information systems;
                  (B) determining the levels of information 
                security appropriate to protect such 
                information and information systems in 
                accordance with policies, principles, 
                standards, and guidelines promulgated under 
                section 20 of the National Institute of 
                Standards and Technology Act (15 U.S.C. 278g-
                3), section 3552(a)(1), and subtitle E of title 
                II of the Homeland Security Act of 2002, for 
                information security categorizations and 
                related requirements;
                  (C) implementing policies and procedures to 
                cost effectively reduce risks to an acceptable 
                level;
                  (D) periodically testing and evaluating 
                information security controls and techniques to 
                ensure that such controls and techniques are 
                operating effectively; and
                  (E) withholding all bonus and cash awards to 
                senior agency officials accountable for the 
                operation of such agency information 
                infrastructure that are recognized by the Chief 
                Information Security Officer as impairing the 
                risk-based security information, information 
                system, or agency information infrastructure;
          (3) delegate to a senior agency officer designated as 
        the Chief Information Security Officer the authority 
        and budget necessary to ensure and enforce compliance 
        with the requirements imposed on the agency under this 
        subchapter, subtitle E of title II of the Homeland 
        Security Act of 2002, or any other provision of law, 
        including--
                  (A) overseeing the establishment, 
                maintenance, and management of a security 
                operations center that has technical 
                capabilities that can, through automated and 
                continuous monitoring--
                          (i) detect, report, respond to, 
                        contain, remediate, and mitigate 
                        incidents that impair risk-based 
                        security of the information, 
                        information systems, and agency 
                        information infrastructure, in 
                        accordance with policy provided by the 
                        National Center for Cybersecurity and 
                        Communications;
                          (ii) monitor and, on a risk-based 
                        basis, mitigate and remediate the 
                        vulnerabilities of every information 
                        system within the agency information 
                        infrastructure;
                          (iii) continually evaluate risks 
                        posed to information collected or 
                        maintained by or on behalf of the 
                        agency and information systems and hold 
                        senior agency officials accountable for 
                        ensuring the risk-based security of 
                        such information and information 
                        systems;
                          (iv) collaborate with the National 
                        Center for Cybersecurity and 
                        Communications and appropriate public 
                        and private sector security operations 
                        centers to address incidents that 
                        impact the security of information and 
                        information systems that extend beyond 
                        the control of the agency; and
                          (v) report any incident described 
                        under clauses (i) and (ii), as directed 
                        by the policy of the National Center 
                        for Cybersecurity and Communications or 
                        the Inspector General of the agency;
                  (B) collaborating with the Administrator for 
                E-Government and the Chief Information Officer 
                to establish, maintain, and update an 
                enterprise network, system, storage, and 
                security architecture, that can be accessed by 
                the National Cybersecurity Communications 
                Center and includes--
                          (i) information on how security 
                        controls are implemented throughout the 
                        agency information infrastructure; and
                          (ii) information on how the controls 
                        described under subparagraph (A) 
                        maintain the appropriate level of 
                        confidentiality, integrity, and 
                        availability of information and 
                        information systems based on--
                                  (I) the policy of the 
                                National Center for 
                                Cybersecurity and 
                                Communications; and
                                  (II) the standards or 
                                guidance developed by the 
                                National Institute of Standards 
                                and Technology;
                  (C) developing, maintaining, and overseeing 
                an agency-wide information security program as 
                required by subsection (b);
                  (D) developing, maintaining, and overseeing 
                information security policies, procedures, and 
                control techniques to address all applicable 
                requirements, including those issued under 
                section 3552;
                  (E) training, consistent with the 
                requirements of section 406 of the Protecting 
                Cyberspace as a National Asset Act of 2010, and 
                overseeing personnel with significant 
                responsibilities for information security with 
                respect to such responsibilities; and
                  (F) assisting senior agency officers 
                concerning their responsibilities under 
                paragraph (2);
          (4) ensure that the Chief Information Security 
        Officer has a sufficient number of cleared and trained 
        personnel with technical skills identified by the 
        National Center for Cybersecurity and Communications as 
        critical to maintaining the risk-based security of 
        agency information infrastructure as required by the 
        subchapter and other applicable laws;
          (5) ensure that the agency Chief Information Security 
        Officer, in coordination with appropriate senior agency 
        officials, reports not less than annually to the head 
        of the agency on the effectiveness of the agency 
        information security program, including progress of 
        remedial actions;
          (6) ensure that the Chief Information Security 
        Officer--
                  (A) possesses necessary qualifications, 
                including education, professional 
                certifications, training, experience, and the 
                security clearance required to administer the 
                functions described under this subchapter; and
                  (B) has information security duties as the 
                primary duty of that officer; and
          (7) ensure that components of that agency establish 
        and maintain an automated reporting mechanism that 
        allows the Chief Information Security Officer with 
        responsibility for the entire agency, and all 
        components thereof, to implement, monitor, and hold 
        senior agency officers accountable for the 
        implementation of appropriate security policies, 
        procedures, and controls of agency components.
    (b) Agency-Wide Information Security Program.--Each agency 
shall develop, document, and implement an agency-wide 
information security program, approved by the National Center 
for Cybersecurity and Communications under section 3552(a)(6) 
and consistent with components across and within agencies, to 
provide information security for the information and 
information systems that support the operations and assets of 
the agency, including those provided or managed by another 
agency, contractor, or other source, that includes--
          (1) frequent assessments, at least twice each month--
                  (A) of the risk and magnitude of the harm 
                that could result from the disruption or 
                unauthorized access, use, disclosure, 
                modification, or destruction of information and 
                information systems that support the operations 
                and assets of the agency; and
                  (B) that assess whether information or 
                information systems should be removed or 
                migrated to more secure networks or standards 
                and make recommendations to the head of the 
                agency and the Director of the National Center 
                for Cybersecurity and Communications based on 
                that assessment;
          (2) consistent with guidance developed under section 
        3554, vulnerability assessments and penetration tests 
        commensurate with the risk posed to an agency 
        information infrastructure;
          (3) ensure that information security vulnerabilities 
        are remediated or mitigated based on the risk posed to 
        the agency;
          (4) policies and procedures that--
                  (A) are informed and revised by the 
                assessments required under paragraphs (1) and 
                (2);
                  (B) cost effectively reduce information 
                security risks to an acceptable level;
                  (C) ensure that information security is 
                addressed throughout the life cycle of each 
                agency information system; and
                  (D) ensure compliance with--
                          (i) the requirements of this 
                        subchapter;
                          (ii) policies and procedures 
                        prescribed by the National Center for 
                        Cybersecurity and Communications;
                          (iii) minimally acceptable system 
                        configuration requirements, as 
                        determined by the National Center for 
                        Cybersecurity and Communications; and
                          (iv) any other applicable 
                        requirements, including standards and 
                        guidelines for national security 
                        systems issued in accordance with law 
                        and as directed by the President;
          (5) subordinate plans for providing risk-based 
        information security for networks, facilities, and 
        systems or groups of information systems, as 
        appropriate;
          (6) role-based security awareness training, 
        consistent with the requirements of section 406 of the 
        Protecting Cyberspace as a National Asset Act of 2010, 
        to inform personnel with access to the agency network, 
        including contractors and other users of information 
        systems that support the operations and assets of the 
        agency, of--
                  (A) information security risks associated 
                with agency activities; and
                  (B) agency responsibilities in complying with 
                agency policies and procedures designed to 
                reduce those risks;
          (7) periodic testing and evaluation of the 
        effectiveness of information security policies, 
        procedures, and practices, to be performed with a rigor 
        and frequency depending on risk, which shall include--
                  (A) testing and evaluation not less than 
                twice each year of security controls of 
                information collected or maintained by or on 
                behalf of the agency and every information 
                system identified in the inventory required 
                under section 3505(c);
                  (B) the effectiveness of ongoing monitoring, 
                including automated and continuous monitoring, 
                vulnerability scanning, and intrusion detection 
                and prevention of incidents posed to the risk-
                based security of information and information 
                systems as required under subsection (a)(3); 
                and
                  (C) testing relied on in--
                          (i) an operational evaluation under 
                        section 3554;
                          (ii) an independent assessment under 
                        section 3556; or
                          (iii) another evaluation, to the 
                        extent specified by the Director;
          (8) a process for planning, implementing, evaluating, 
        and documenting remedial action to address any 
        deficiencies in the information security policies, 
        procedures, and practices of the agency;
          (9) procedures for detecting, reporting, and 
        responding to incidents, consistent with requirements 
        issued under section 3552, that include--
                  (A) to the extent practicable, automated and 
                continuous monitoring of the use of information 
                and information systems;
                  (B) requirements for mitigating risks and 
                remediating vulnerabilities associated with 
                such incidents systemically within the agency 
                information infrastructure before substantial 
                damage is done; and
                  (C) notifying and coordinating with the 
                National Center for Cybersecurity and 
                Communications, as required by this subchapter, 
                subtitle E of title II of the Homeland Security 
                Act of 2002, and any other provision of law; 
                and
          (10) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency.
    (c) Agency Reporting.--
          (1) In general.--Each agency shall.--
                  (A) ensure that information relating to the 
                adequacy and effectiveness of information 
                security policies, procedures, and practices, 
                is available to the entities identified under 
                paragraph (2) through the system developed 
                under section 3552(a)(3), including information 
                relating to--
                          (i) compliance with the requirements 
                        of this subchapter;
                          (ii) the effectiveness of the 
                        information security policies, 
                        procedures, and practices of the agency 
                        based on a determination of the 
                        aggregate effect of identified 
                        deficiencies and vulnerabilities;
                          (iii) an identification and analysis 
                        of any significant deficiencies 
                        identified in such policies, 
                        procedures, and practices;
                          (iv) an identification of any 
                        vulnerability that could impair the 
                        risk-based security of the agency 
                        information infrastructure; and
                          (v) results of any operational 
                        evaluation conducted under section 3554 
                        and plans of action to address the 
                        deficiencies and vulnerabilities 
                        identified as a result of such 
                        operational evaluation;
                  (B) follow the policy, guidance, and 
                standards of the National Center for 
                Cybersecurity and Communications, in 
                consultation with the Federal Information 
                Security Taskforce, to continually update, and 
                ensure the electronic availability of both a 
                classified and unclassified version of the 
                information required under subparagraph (A);
                  (C) ensure the information under subparagraph 
                (A) addresses the adequacy and effectiveness of 
                information security policies, procedures, and 
                practices in plans and reports relating to--
                          (i) annual agency budgets;
                          (ii) information resources management 
                        of this subchapter;
                          (iii) information technology 
                        management and procurement under this 
                        chapter or any other applicable 
                        provision of law;
                          (iv) subtitle E of title II of the 
                        Homeland Security Act of 2002;
                          (v) program performance under 
                        sections 1105 and 1115 through 1119 of 
                        title 31, and sections 2801 and 2805 of 
                        title 39;
                          (vi) financial management under 
                        chapter 9 of title 31, and the Chief 
                        Financial Officers Act of 1990 (31 
                        U.S.C. 501 note; Public Law 101-576) 
                        (and the amendments made by that Act);
                          (vii) financial management systems 
                        under the Federal Financial Management 
                        Improvement Act (31 U.S.C. 3512 note);
                          (viii) internal accounting and 
                        administrative controls under section 
                        3512 of title 31; and
                          (ix) performance ratings, salaries, 
                        and bonuses provided to the senior 
                        managers and supporting personnel 
                        taking into account program performance 
                        as it relates to complying with this 
                        subchapter; and
                  (D) report any significant deficiency in a 
                policy, procedure, or practice identified under 
                subparagraph (A) or (B)--
                          (i) as a material weakness in 
                        reporting under section 3512 of title 
                        31; and
                          (ii) if relating to financial 
                        management systems, as an instance of a 
                        lack of substantial compliance under 
                        the Federal Financial Management 
                        Improvement Act (31 U.S.C. 3512 note).
          (2) Adequacy and effectiveness information.--
        Information required under paragraph (1)(A) shall, to 
        the extent possible and in accordance with applicable 
        law, policy, guidance, and standards, be available on 
        an automated and continuous basis to--
                  (A) the National Center for Cybersecurity and 
                Communications;
                  (B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                  (C) the Committee on Government Oversight and 
                Reform of the House of Representatives;
                  (D) the Committee on Homeland Security of the 
                House of Representatives;
                  (E) other appropriate authorization and 
                appropriations committees of Congress;
                  (F) the Inspector General of the Federal 
                agency; and
                  (G) the Comptroller General.
    (d) Inclusions in Performance Plans.--
          (1) In general.--In addition to the requirements of 
        subsection (c), each agency, in consultation with the 
        National Center for Cybersecurity and Communications, 
        shall include as part of the performance plan required 
        under section 1115 of title 31 a description of the 
        time periods the resources, including budget, staffing, 
        and training, that are necessary to implement the 
        program required under subsection (b).
          (2) Risk assessments.--The description under 
        paragraph (1) shall be based on the risk and 
        vulnerability assessments required under subsection (b) 
        and evaluations required under section 3554.
    (e) Notice and Comment.--Each agency shall provide the 
public with timely notice and opportunities for comment on 
proposed information security policies and procedures to the 
extent that such policies and procedures affect communication 
with the public.
    (f) More Stringent Standards.--The head of an agency may 
employ standards for the cost effective information security 
for information systems within or under the supervision of that 
agency that are more stringent than the standards the Director 
of the National Center for Cybersecurity and Communications 
prescribes under this subchapter, subtitle E of title II of the 
Homeland Security Act of 2002, or any other provision of law, 
if the more stringent standards--
          (1) contain at least the applicable standards made 
        compulsory and binding by the Director of the National 
        Center for Cybersecurity and Communications; and
          (2) are otherwise consistent with policies and 
        guidelines issued under section 3552.

SEC. 3554. ANNUAL OPERATIONAL EVALUATION.

    (a) Guidance.--
          (1) In general.--Each year the National Center for 
        Cybersecurity and Communications shall oversee, 
        coordinate, and develop guidance for the effective 
        implementation of operational evaluations of the 
        Federal information infrastructure and agency 
        information security programs and practices to 
        determine the effectiveness of such program and 
        practices.
          (2) Collaboration in development.--In developing 
        guidance for the operational evaluations described 
        under this section, the National Center for 
        Cybersecurity and Communications shall collaborate with 
        the Federal Information Security Taskforce and the 
        Council of Inspectors General on Integrity and 
        Efficiency, and other agencies as necessary, to develop 
        and update risk-based performance indicators and 
        measures that assess the adequacy and effectiveness of 
        information security of an agency and the Federal 
        information infrastructure.
          (3) Contents of operational evaluation.--Each 
        operational evaluation under this section--
                  (A) shall be prioritized based on risk; and
                  (B) shall--
                          (i) test the effectiveness of agency 
                        information security policies, 
                        procedures, and practices of the 
                        information systems of the agency, or a 
                        representative subset of those 
                        information systems;
                          (ii) assess (based on the results of 
                        the testing) compliance with--
                                  (I) the requirements of this 
                                subchapter; and
                                  (II) related information 
                                security policies, procedures, 
                                standards, and guidelines;
                          (iii) evaluate whether agencies--
                                  (I) effectively monitor, 
                                detect, analyze, protect, 
                                report, and respond to 
                                vulnerabilities and incidents;
                                  (II) report to and 
                                collaborate with the 
                                appropriate public and private 
                                security operation centers, the 
                                National Center for 
                                Cybersecurity and 
                                Communications, and law 
                                enforcement agencies; and
                                  (III) remediate or mitigate 
                                the risk posed by attacks and 
                                exploitations in a timely 
                                fashion in order to prevent 
                                future vulnerabilities and 
                                incidents; and
                          (iv) identify deficiencies of agency 
                        information security policies, 
                        procedures, and controls on the agency 
                        information infrastructure.
    (b) Conduct an Operational Evaluation.--
          (1) In general.--Except as provided under paragraph 
        (2), and in consultation with the Chief Information 
        Officer and senior officials responsible for the 
        affected systems, the Chief Information Security 
        Officer of each agency shall not less than annually--
                  (A) conduct an operational evaluation of the 
                agency information infrastructure for 
                vulnerabilities, attacks, and exploitations of 
                the agency information infrastructure;
                  (B) evaluate the ability of the agency to 
                monitor, detect, correlate, analyze, report, 
                and respond to incidents; and
                  (C) report to the head of the agency, the 
                National Center for Cybersecurity and 
                Communications, the Chief Information Officer, 
                and the Inspector General for the agency the 
                findings of the operational evaluation.
          (2) Satisfaction of requirements by other 
        evaluation.--Unless otherwise specified by the Director 
        of the National Center for Cybersecurity and 
        Communications, if the National Center for 
        Cybersecurity and Communications conducts an 
        operational evaluation of the agency information 
        infrastructure under section 245(b)(2)(A) of the 
        Homeland Security Act of 2002, the Chief Information 
        Security Officer may deem the requirements of paragraph 
        (1) satisfied for the year in which the operational 
        evaluation described under this paragraph is conducted.
    (c) Corrective Measures Mitigation and Remediation Plans.--
          (1) In general.--In consultation with the National 
        Center for Cybersecurity and Communications and the 
        Chief Information Officer, Chief Information Security 
        Officers shall remediate or mitigate vulnerabilities in 
        accordance with this subsection.
          (2) Risk-based plan.--After an operational evaluation 
        is conducted under this section or under section 245(b) 
        of the Homeland Security Act of 2002, the agency shall 
        submit to the National Center for Cybersecurity and 
        Communications in a timely fashion a risk-based plan 
        for addressing recommendations and mitigating and 
        remediating vulnerabilities identified as a result of 
        such operational evaluation, including a timeline and 
        budget for implementing such plan.
          (3) Approval or disapproval.--Not later than 15 days 
        after receiving a plan submitted under paragraph (2), 
        the National Center for Cybersecurity and 
        Communications shall--
                  (A) approve or disapprove the agency plan; 
                and
                  (B) comment on the adequacy and effectiveness 
                of the plan.
          (4) Isolation from infrastructure.--
                  (A) In general.--The Director of the National 
                Center for Cybersecurity and Communications 
                may, consistent with the contingency or 
                continuity of operation plans applicable to 
                such agency information infrastructure, order 
                the isolation of any component of the Federal 
                information infrastructure from any other 
                Federal information infrastructure, if--
                          (i) an agency does not implement 
                        measures in a risk-based plan approved 
                        under this subsection; and
                          (ii) the failure to comply presents a 
                        significant danger to the Federal 
                        information infrastructure.
                  (B) Duration.--An isolation under 
                subparagraph (A) shall remain in effect until--
                          (i) the Director of the National 
                        Center for Cybersecurity and 
                        Communications determines that 
                        corrective measures have been 
                        implemented; or
                          (ii) an updated risk-based plan is 
                        approved by the National Center for 
                        Cybersecurity and Communications and 
                        implemented by the agency.
    (d) Operational Guidance.--The Director of the National 
Center for Cybersecurity and Communications shall--
          (1) not later than 180 days after the date of 
        enactment of the Protecting Cyberspace as a National 
        Asset Act of 2010, develop operational guidance for 
        operational evaluations as required under this section 
        that are risk-based and cost effective; and
          (2) periodically evaluate and ensure information is 
        available on an automated and continuous basis through 
        the system required under section 3552(a)(3)(D) to 
        Congress on--
                  (A) the adequacy and effectiveness of the 
                operational evaluations conducted under this 
                section or section 245(b) of the Homeland 
                Security Act of 2002; and
                  (B) possible executive and legislative 
                actions for cost-effectively managing the risks 
                to the Federal information infrastructure.

SEC. 3555. FEDERAL INFORMATION SECURITY TASKFORCE.

    (a) Establishment.--There is established in the executive 
branch a Federal Information Security Taskforce.
    (b) Membership.--The members of the Federal Information 
Security Taskforce shall be full-time senior Government 
employees and shall be as follows:
          (1) The Director of the National Center for 
        Cybersecurity and Communications.
          (2) The Administrator of the Office of Electronic 
        Government of the Office of Management and Budget.
          (3) The Chief Information Security Officer of each 
        agency described under section 901(b) of title 31.
          (4) The Chief Information Security Officer of the 
        Department of the Army, the Department of the Navy, and 
        the Department of the Air Force.
          (5) A representative from the Office of Cyberspace 
        Policy.
          (6) A representative from the Office of the Director 
        of National Intelligence.
          (7) A representative from the United States Cyber 
        Command.
          (8) A representative from the National Security 
        Agency.
          (9) A representative from the United States Computer 
        Emergency Readiness Team.
          (10) A representative from the Intelligence Community 
        Incident Response Center.
          (11) A representative from the Committee on National 
        Security Systems.
          (12) A representative from the National Institute for 
        Standards and Technology.
          (13) A representative from the Council of Inspectors 
        General on Integrity and Efficiency.
          (14) A representative from State and local 
        government.
          (15) Any other officer or employee of the United 
        States designated by the chairperson.
    (c) Chairperson and Vice-Chairperson.--
          (1) Chairperson.--The Director of the National Center 
        for Cybersecurity and Communications shall act as 
        chairperson of the Federal Information Security 
        Taskforce.
          (2) Vice-chairperson.--The vice chairperson of the 
        Federal Information Security Taskforce shall--
                  (A) be selected by the Federal Information 
                Security Taskforce from among its members;
                  (B) serve a 1-year term and may serve 
                multiple terms; and
                  (C) serve as a liaison to the Chief 
                Information Officer, Council of the Inspectors 
                General on Integrity and Efficiency, Committee 
                on National Security Systems, and other 
                councils or committees as appointed by the 
                chairperson.
    (d) Functions.--The Federal Information Security Taskforce 
shall--
          (1) be the principal interagency forum for 
        collaboration regarding best practices and 
        recommendations for agency information security and the 
        security of the Federal information infrastructure;
          (2) assist in the development of and annually 
        evaluate guidance to fulfill the requirements under 
        sections 3554 and 3556;
          (3) share experiences and innovative approaches 
        relating to threats against the Federal information 
        infrastructure, information sharing and information 
        security best practices, penetration testing regimes, 
        and incident response, mitigation, and remediation;
          (4) promote the development and use of standard 
        performance indicators and measures for agency 
        information security that--
                  (A) are outcome-based;
                  (B) focus on risk management;
                  (C) align with the business and program goals 
                of the agency;
                  (D) measure improvements in the agency 
                security posture over time; and
                  (E) reduce burdensome and efficient 
                performance indicators and measures;
          (5) recommend to the Office of Personnel Management 
        the necessary qualifications to be established for 
        Chief Information Security Officers to be capable of 
        administering the functions described under this 
        subchapter including education, training, and 
        experience;
          (6) enhance information system processes by 
        establishing a prioritized baseline of information 
        security measures and controls that can be continuously 
        monitored through automated mechanisms;
          (7) evaluate the effectiveness and efficiency of any 
        reporting and compliance requirements that are required 
        by law related to the information security of Federal 
        information infrastructure; and
          (8) submit proposed enhancements developed under 
        paragraphs (1) through (7) to the Director of the 
        National Center for Cybersecurity and Communications.
    (e) Termination.--
          (1) In general.--Except as provided under paragraph 
        (2), the Federal Information Security Taskforce shall 
        terminate 4 years after the date of enactment of the 
        Protecting Cyberspace as a National Asset Act of 2010.
          (2) Extension.--The President may--
                  (A) extend the Federal Information Security 
                Taskforce by executive order; and
                  (B) make more than 1 extension under this 
                paragraph for any period as the President may 
                determine.

SEC. 3556. INDEPENDENT ASSESSMENTS.

    (a) In General.--
          (1) Inspectors general assessments.--Not less than 
        every 2 years, each agency with an Inspector General 
        appointed under the Inspector General Act of 1978 (5 
        U.S.C. App.) shall assess the adequacy and 
        effectiveness of the information security program 
        developed under section 3553(b) and (c), and 
        evaluations conducted under section 3554.
          (2) Independent assessments.--For each agency to 
        which paragraph (1) does not apply, the head of the 
        agency shall engage an independent external auditor to 
        perform the assessment.
    (b) Existing Assessments.--The assessments required by this 
section may be based in whole or in part on an audit, 
evaluation, or report relating to programs or practices of the 
applicable agency.
    (c) Inspectors General Reporting.--Inspectors General shall 
ensure information obtained as a result of the assessment 
required under this section, or any other relevant information, 
is available through the system required under section 
3552(a)(3)(D) to Congress and the National Center for 
Cybersecurity and Communications.

SEC. 3557. PROTECTION OF INFORMATION.

    In complying with this subchapter, agencies, evaluators, 
and Inspectors General shall take appropriate actions to ensure 
the protection of information which, if disclosed, may 
adversely affect information security. Protections under this 
chapter shall be commensurate with the risk and comply with all 
applicable laws and regulations.

SEC. 3558. DEPARTMENT OF DEFENSE AND CENTRAL INTELLIGENCE AGENCY 
                    SYSTEMS.

    (a) In General.--The authorities of the Director of the 
National Center for Cybersecurity and Communications under this 
subchapter shall be delegated to--
          (1) the Secretary of Defense in the case of systems 
        described under subsection (b)
          (2) the Director of Central Intelligence in the case 
        of systems described in subsection (c).
    (b) Department of Defense Systems.--The systems described 
in this paragraph are systems that are operated by the 
Department of Defense, a contractor of the Department of 
Defense, or another entity on behalf of the Department of 
Defense that processes any information the unauthorized access, 
use, disclosure, disruption, modification, or destruction of 
which would have a debilitating impact on the mission of the 
Department of Defense.
    (c) Central Intelligence Agency Systems.--The systems 
described in this paragraph are systems that are operated by 
the Central Intelligence Agency, a contractor of the Central 
Intelligence Agency, or another entity on behalf of the Central 
Intelligence Agency that processes any information the 
unauthorized access, use, disclosure, disruption, modification, 
or destruction of which would have a debilitating impact on the 
mission of the Central Intelligence Agency.

                                  
