[Senate Report 114-361]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 647
114th Congress     }                                    {       Report
                                 SENATE
 2d Session        }                                    {      114-361
______________________________________________________________________

                                     

           FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2016

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2975

TO PROVIDE AGENCIES WITH DISCRETION IN SECURING INFORMATION TECHNOLOGY 
                        AND INFORMATION SYSTEMS

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


               September 27, 2016.--Ordered to be printed
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

59-010                         WASHINGTON : 2016               
               
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming             HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire          CORY A. BOOKER, New Jersey
JONI ERNST, Iowa                     GARY C. PETERS, Michigan
BEN SASSE, Nebraska

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
                    Daniel P. Lips, Policy Director
              Gabrielle A. Batkin, Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
               Mary Beth Schultz, Minority Chief Counsel
       John A. Kane, Minority Senior Governmental Affairs Advisor
                     Laura W. Kilbride, Chief Clerk



















                                                      Calendar No. 647
114th Congress     }                                    {       Report
                                 SENATE
 2d Session        }                                    {      114-361

======================================================================



 
           FEDERAL INFORMATION SYSTEMS SAFEGUARDS ACT OF 2016

                                _______
                                

               September 27, 2016.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2975]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2975) to provide 
agencies with discretion in securing information technology and 
information systems, having considered the same, reports 
favorably thereon with amendments and recommends that the bill, 
as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis......................................4
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6

                         I. PURPOSE AND SUMMARY

    The purpose of S. 2975, the Federal Information Systems 
Safeguards Act of 2016, is to strengthen Federal cybersecurity 
by providing agencies greater discretion to secure their 
information technology and information systems. The legislation 
clarifies agency heads' authority to limit, restrict, or 
prohibit access to websites that may present current or future 
security weakness or risk to the agency's information system.

              II. BACKGROUND AND THE NEED FOR LEGISLATION

    Information security is a significant and persistent 
challenge for the Federal Government. The Government 
Accountability Office (GAO) has repeatedly identified 
weaknesses in Federal agencies' information security programs 
and compliance with Federal information security policies and 
practices. In September 2015, GAO reported that information 
security remains a persistent weakness at twenty-four Federal 
agencies.\1\ In February 2015, GAO reported that ``federal 
cyber assets'' have been identified as high-risk since 1997.\2\ 
The current cybersecurity threat is increased due, in part, to 
the proliferation of increasingly sophisticated threat actors 
who have expertise and resources to defeat cyber defenses.\3\ 
In 2016, the Office of Management and Budget alerted Congress 
that Federal agencies reported more than 77,000 security 
incidents during fiscal year (FY) 2015, an increase of ten 
percent over the prior year.\4\
---------------------------------------------------------------------------
    \1\Gov't Accountability Office, GAO-15-714, Federal Information 
Security: Agencies Need to Correct Weaknesses and Fully Implement 
Security Programs (Sept. 2015), available at: http://www.gao.gov/
assets/680/672801.pdf).
    \2\Id.
    \3\Id.
    \4\Office of Management and Budget, Annual Report to Congress: 
Federal Information Security Modernization Act (Mar. 18, 2016).
---------------------------------------------------------------------------
    Federal agencies identify nation-state actors as the most 
serious cybersecurity threat they face. In May 2016, GAO 
reported that 18 agencies that have high impact systems--those 
where the loss of information can have severe impact on the 
nation or affected individuals--identified foreign nations as 
the most serious and frequently occurring threat.\5\
---------------------------------------------------------------------------
    \5\Gov't Accountability Office, GAO-16-501, Information Security: 
Agencies Need to Improve Controls Over Selected High-Impact Systems 
(May 2016), available at http://www.gao.gov/products/GAO-16-501.
---------------------------------------------------------------------------
    In 2015, the nation learned that a sophisticated threat 
actor had penetrated the information system of the Office of 
Personnel Management (OPM), exfiltrating data that included 
millions of sensitive records about Federal employees, 
including employee background investigations.\6\ In the 
aftermath of the OPM breach, OPM instituted a new policy to 
prohibit its employees from accessing certain websites, 
including Gmail and Facebook, from their work computers.\7\ An 
OPM spokesperson described the change as a response to the 
breach and cybersecurity threats:
---------------------------------------------------------------------------
    \6\Under Attack: Cybersecurity and the OPM Data Breach: Hearing 
Before the Comm. on Homeland Sec. & Governmental Affairs, 114th Cong. 
(2015).
    \7\Statement of Samuel Schumach, Press Secretary, Office of 
Personnel Management, July 2, 2015.

        As is the case throughout the Federal government, 
        agencies monitor the use of official computers and 
        other devices. In addition, at OPM, we provide guidance 
        on the use of computers and conduct yearly training. 
        Out of caution, and in light of the recent breaches, 
        OPM has recently tightened restrictions on internet 
        access using web security technology. As we move 
        forward with security measures which will ensure both 
        agency and individual security, OPM will continue to 
        monitor and make adjustments to our web security 
        policies.\8\
---------------------------------------------------------------------------
    \8\Id.

    Seven months later during her February 2016 confirmation 
hearing, OPM Acting Director Beth Cobert explained the 
reasoning behind OPM's decision to limit employees' access to 
---------------------------------------------------------------------------
certain websites:

        As the world of cybersecurity is changing, as we 
        recognize the nature of these threats, we all need to 
        change the way we interact, the way we use systems at 
        work and at home. What we have done at OPM, and I think 
        what is important for every agency to do, is to 
        recognize what needs to change in the way they operate, 
        what needs to change in the way their employees operate 
        to make sure systems are secure. At OPM, for example, I 
        cannot access my personal Gmail account from my OPM 
        computer. That is the way a lot of threats come in.\9\
---------------------------------------------------------------------------
    \9\Nomination of the Honorable Beth F. Cobert to be Director, 
Office of Personnel Management: Hearing Before S. Comm. on Homeland 
Sec; & Governmental Affairs, 114th Cong. (2016).

    However, Federal employee labor unions have raised concerns 
that such measures could have an adverse impact on Federal 
employees. In 2011, U.S. Immigration and Customs Enforcement 
(ICE) imposed a similar policy to limit employees' access to 
personal email from their workstations to improve 
cybersecurity.\10\ The American Federation of Government 
Employees (AFGE) filed a grievance against ICE with the Federal 
Labor Relations Authority (FLRA).\11\ The AFGE's grievance 
alleged that the agency's decision to block access to certain 
websites on employees' computers unlawfully bypassed the 
collective bargaining process.\12\
---------------------------------------------------------------------------
    \10\U.S. Department of Homeland Security Immigration and Customs 
Enforcement and American Federation of Government Employees National 
Immigration and Customs Enforcement Council 118, 67 F.L.R.A. 126 (July 
8, 2014).
    \11\Id.
    \12\Id.
---------------------------------------------------------------------------
    On July 8, 2014, the FLRA issued a decision ruling that the 
agency was required to bargain with the union before changing 
the cybersecurity policy in this case.\13\ The FLRA held that 
Federal employees' legal requirement to protect Federal 
information under the Federal Information Security Management 
Act (FISMA) did not provide the agency with sole and exclusive 
discretion to implement network-access policies affecting 
employees without first satisfying its bargaining obligations 
with the union.\14\
---------------------------------------------------------------------------
    \13\Id.
    \14\Id.
---------------------------------------------------------------------------
    Although the remedy provided by the arbitrator and affirmed 
by the FLRA in this case directed bargaining over only the 
``impact and implementation'' of the agency's decision to block 
webmail access, concerns have been raised by this decision that 
the remedy in a future case could include the requirement that 
an agency restore access and engage in pre-implementation 
bargaining. Agency heads and their chief information officers 
must have the ability to act quickly to respond to threats and 
address perceived weaknesses and vulnerabilities in their 
information systems. Failure to successfully defend against 
cyberattacks can have significant consequences for the nation 
and, in cases such as the OPM breach, millions of Federal 
employees.
    The Federal Information Systems Safeguards Act of 2016 will 
clarify that an agency head may limit, restrict, or prohibit 
access to certain websites that are determined to present a 
current or future security risk. Although such a decision by 
the agency head is not subject to collective bargaining, after 
an agency head takes such an action, the bill as amended 
requires the agency head to seek guidance and take into 
consideration the personal and work-related communication and 
access needs of agency employees, upon the employees' request. 
However, the bill further clarifies that this requirement does 
not establish a right to collective bargaining.
    The legislation will clarify Federal agency heads' cyber 
security authorities and discretion to act quickly to protect 
Federal information systems and, therefore, improve Federal 
cybersecurity.

                        III. LEGISLATIVE HISTORY

    Senator Joni Ernst introduced the Federal Information 
Systems Safeguard Act of 2016, S. 2975, on May 23, 2016. The 
bill was referred to the Senate Homeland Security and 
Governmental Affairs Committee. The Committee considered S. 
2975 at a business meeting on May 25, 2016.
    During the business meeting, Senator Ernst offered an 
amendment which was modified by a second degree amendment co-
sponsored by Senator Ernst and Senator Carper. The second 
degree amendment struck language expressing a sense of the 
Senate and inserted language to clarify that agency heads shall 
consider employees' communications needs, upon the request of 
the employees, after taking an action described in the 
legislation. The Ernst-Carper second degree amendment further 
clarified that nothing in this subsection shall be construed to 
establish a right to collective bargaining. The Ernst 
amendment, as amended by the Ernst-Carper second degree 
amendment, was adopted by voice vote with Senators Johnson, 
Portman, Paul, Lankford, Ayotte, Ernst, Sasse, Carper, 
McCaskill, Tester, Baldwin, Heitkamp, Booker, and Peters 
present.
    S. 2975, as amended, was reported favorably by voice vote 
with Senators Johnson, Portman, Paul, Lankford, Ayotte, Ernst, 
Sasse, Carper, McCaskill, Tester, Baldwin, Heitkamp, Booker, 
and Peters present.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section establishes the short title of the bill as the 
``Federal Information Systems Safeguards Act of 2016.''

Section 2. Agency discretion to secure information technology and 
        information systems

    This section enhances Federal information security by 
clarifying that any action taken by the head of an agency that 
is necessary to limit, restrict, or prohibit access to any 
website the head of the agency determines to present a current 
or future security weakness or risk to the information 
technology or information system under the control of the 
agency, shall not be subject to chapter 71 of title 5, United 
States Code, regarding labor-management relations.
    The section requires that agency heads shall, upon the 
request of employees of the agency, take into consideration and 
seek guidance on the personal communication needs of the 
employees of the agency. The section includes a rule of 
construction that nothing in this subsection shall be construed 
to establish a right to collective bargaining.
    The section also defines the terms ``agency,'' 
``information systems,'' and ``information technology.''

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, June 28, 2016.
Hon. Ron Johnson,
Chairman Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 2975, the Federal 
Information Systems Safeguards Act of 2016.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Matthew 
Pickford.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

S. 2975--Federal Information Systems Safeguards Act of 2016

    The Federal Information Security Management Act (FISMA) 
provides a comprehensive framework to protect the security of 
federal information systems. S. 2975 would clarify that, under 
FISMA, federal agencies have the sole and exclusive authority 
to take appropriate and timely actions to secure their 
information technology and information systems. CBO estimates 
that while implementing S. 2975 would clarify Congressional 
intent, it would have no significant effect on the federal 
budget because it would not expand the duties of executive 
agencies. Because enacting the bill could affect direct 
spending by agencies not funded through annual appropriations, 
pay-as-you-go procedures apply. CBO estimates, however, that 
any net change in spending by those agencies would be 
negligible. Enacting S. 2975 would not affect revenues.
    CBO estimates that enacting S. 2975 would not increase 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2027.
    S. 2975 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would not affect the budgets of state, local, or tribal 
governments.
    On March 24, 2016, CBO transmitted a cost estimate for H.R. 
4361, the Federal Information Systems Safeguards Act of 2016, 
as ordered reported by the House Committee on Oversight and 
Government Reform on March 1, 2016. The two bills are similar 
and CBO's estimate of their budgetary effects are the same.
    The CBO staff contact for this estimate is Matthew 
Pickford. This estimate was approved by H. Samuel Papenfuss, 
Deputy Assistant Director for Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because S. 2975 would not repeal or amend any provision of 
current law, it would make no changes in existing law within 
the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI 
of the Standing Rules of the Senate.

                                  [all]