[Senate Report 114-378]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 673
114th Congress    }                                     {       Report
                                 SENATE
 2d Session       }                                     {      114-378
_______________________________________________________________________

                                     

                                                    
             FEDERAL CYBERSECURITY ENHANCEMENT ACT OF 2015

                               __________

                              R E P O R T

                                 of the

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 1869

   TO IMPROVE FEDERAL NETWORK SECURITY AND AUTHORIZE AND ENHANCE AN 
EXISTING INTRUSION DETECTION AND PREVENTION SYSTEM FOR CIVILIAN FEDERAL 
                                NETWORKS

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







               November 17, 2016.--Ordered to be printed
                                 ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

69-010                         WASHINGTON : 201               
               
               
               
               
               
               
               
               
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming             HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire          CORY A. BOOKER, New Jersey
JONI ERNST, Iowa                     GARY C. PETERS, Michigan
BEN SASSE, Nebraska

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
         Brooke N. Ericson, Chief Counsel for Homeland Security
              Gabrielle A. Batkin, Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
               Mary Beth Schultz, Minority Chief Counsel
     Stephen R. Vina, Minority Chief Counsel for Homeland Security
                     Laura W. Kilbride, Chief Clerk
























                                                      Calendar No. 673
114th Congress    }                                     {       Report
                                 SENATE
 2d Session       }                                     {      114-378

======================================================================



 
             FEDERAL CYBERSECURITY ENHANCEMENT ACT OF 2015

                                _______
                                

               November 17, 2016.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 1869]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 1869), to improve 
Federal network security and authorize and enhance an existing 
intrusion detection and prevention system for civilian Federal 
networks, having considered the same, reports favorably thereon 
with amendments and recommends that the bill, as amended, do 
pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis......................................5
  V. Evaluation of Regulatory Impact.................................10
 VI. Congressional Budget Office Cost Estimate.......................10
VII. Changes in Existing Law Made by the Bill, as Reported...........11

                         I. Purpose and Summary

    The purpose of S. 1869, the Federal Cybersecurity 
Enhancement Act of 2015, is to improve cybersecurity at Federal 
civilian agencies through improvements to network and computer 
security and implementation of best practices in information 
security across the Federal Government.
    First, to improve perimeter security and detect and defend 
against cyberattacks, the bill would authorize a government-
wide intrusion detection and prevention system, operated by the 
Department of Homeland Security (DHS or ``the Department'') and 
today operationally implemented under the ``EINSTEIN'' 
programs. The bill would require several significant 
enhancements to EINSTEIN and enable and require agencies to 
apply the intrusion detection and prevention system to all 
information traveling to and from their information systems, 
clarifying that agencies may and shall deploy EINSTEIN 
notwithstanding any other law. Second, the bill would require 
that agencies implement important cybersecurity best practices, 
such as encryption of sensitive data and multi-factor 
authentication for high-risk users. Third, the bill would 
ensure agencies proactively seek out adversaries that may have 
already established a presence in their networks through a 
requirement that the Office of Management and Budget (OMB) and 
DHS create an intrusion assessment plan. Fourth, the bill would 
require the Director of OMB and the Secretary of Homeland 
Security (the Secretary) to prioritize advanced security tools 
for network monitoring, including within the Continuous 
Diagnostics and Mitigation (CDM) program.
    Fifth, the bill would require the Director of National 
Intelligence (the DNI) to identify information systems, which 
although unclassified, could reveal classified information if 
compromised. Sixth, the bill requires an assessment of the 
impact of the 2015 data breach at the Office of Personnel 
Management (OPM). Seventh, the bill would authorize the 
Secretary, in response to substantial threats, to issue 
directives to the heads of other agencies to take lawful action 
to protect their information systems and take direct action in 
response to imminent threats. Finally, the bill includes 
reporting and oversight requirements to ensure effective 
implementation.

              II. Background and the Need for Legislation

    Recent reports conservatively estimate that cybercrime and 
cyber espionage cost United States companies and citizens 
approximately $100 billion annually, resulting in the loss of 
as many as 508,000 jobs.\1\ The DNI has recognized that 
cybersecurity remains a top national security priority as 
``Cyber threats to US national and economic security are 
increasing in frequency, scale, sophistication, and severity of 
impact.''\2\ The United States Government, private sector, and 
the American public face real-time threats from a variety of 
actors and capabilities. These include nation-states with 
highly sophisticated cyber programs, nations with less 
technical capabilities but a more disruptive intent, profit-
motivated cybercriminals, and ideologically-motivated hackers 
and extremists.\3\
---------------------------------------------------------------------------
    \1\McAfee, The Econ. Impact of Cybercrime (July 2013), http://
www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime.pdf.
    \2\James R. Clapper, Off. of the Director of Nat'l Intelligence, 
Worldwide Threat Assessment of the US Intelligence Community 1 (2015), 
http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-
_SASC_FINAL.pdf.
    \3\Id. at 2.
---------------------------------------------------------------------------
    In recent years, foreign adversaries have stolen tens of 
millions of Americans' sensitive data as a result of data 
breaches at Federal agencies.\4\ For example, OPM has 
identified five major breaches of their information technology 
(IT) systems from malicious hackers.\5\ The most recent breach 
was in 2015, when OPM discovered two separate, yet related, 
breaches that impacted the data of Federal employees, 
contractors, and other individuals.\6\ Earlier that year, it 
was discovered that 4.2 million current and former Federal 
employees' personal data had been stolen.\7\ In June 2015, OPM 
also discovered that the sensitive information of 21.5 million 
individuals, collected in relation to background investigation 
records of current, former, and prospective Federal employees 
and contractors, had been breached.\8\ Of this amount, 19.7 
million individuals had applied for a background investigation, 
and 1.8 million were non-applicants (such as spouses or co-
habitants). Approximately 5.6 million of the records contained 
individual fingerprints. Some records also contained findings 
from background investigation interviews.\9\
---------------------------------------------------------------------------
    \4\See e.g., Off. of Personnel Management, Cybersecurity Resource 
Center: Cybersecurity Incidents (2016), https://www.opm.gov/
cybersecurity/cybersecurity-incidents/#WhatHappened. See also Press 
Release, IRS Statement on ``Get Transcript,'' IRS (Feb. 26, 2016), 
https://www.irs.gov/uac/newsroom/irs-statement-on-get-transcript.
    \5\Off. of Personnel Management, Final Audit Report: Audit of the 
Information Technology Security Controls of the U.S. Office of 
Personnel Management's Serena Business Manager FY 2013 (2013), https://
www.opm.gov/our-inspector-general/reports/2013/audit-of-the-
information-
technology-security-controls-of-the-us-office-of-personnel-managements-
serena-business-manager-fy-2013 4a-ci-00-13-023.pdf; see also Off. of 
Personnel Management, Cybersecurity Resource Center: Cybersecurity 
Incidents (2016), https://www.opm.gov/cybersecurity/cybersecurity-
incidents/#WhatHappened.
    \6\Off. of Personnel Management, Cybersecurity Resource Center: 
Cybersecurity Incidents (2016).
    \7\Id.
    \8\Id.
    \9\Id.
---------------------------------------------------------------------------
    In 2015, the Internal Revenue Service (IRS) also suffered a 
breach involving the IRS Get Transcript application, which 
allows taxpayers to view and download their information, such 
as account transactions, line-by-line tax return information, 
and reported income via the IRS public website.\10\ The IRS 
removed the application on May 21, 2015, after discovering that 
it was being used by unauthorized users to access taxpayer 
data.\11\ An analysis by the Treasury Inspector General for Tax 
Administration (TIGTA) identified 620,931 taxpayer accounts 
implicated by potentially unauthorized access from January 1, 
2014 through May 21, 2015.\12\ Further analysis found that the 
unauthorized users were successful in accessing and obtaining 
transcripts for 355,262 taxpayers' accounts.\13\ TIGTA also 
discovered that the IRS did not identify 2,470 additional 
taxpayers that were targeted through the Get Transcript 
application.\14\
---------------------------------------------------------------------------
    \10\Treasury Inspector Gen. for Tax Admin., 2016-40-037, The 
Internal Revenue Serv. Did Not Identify and Assist All Individuals 
Potentially Affected by the Get Transcript Application Data Breach 1 
(2016), https://www.treasury.gov/tigta/auditreports/2016reports/
201640037fr.pdf.
    \11\Id. at 2.
    \12\Id. at 7.
    \13\Id.
    \14\Id. at 11.
---------------------------------------------------------------------------
    As demonstrated through Committee oversight,\15\ Federal 
agencies such as OPM and the IRS have not always used best 
practices to secure their networks, which have contributed to 
data thefts. On June 2, 2015, the Committee held a hearing on 
the IRS data breach, where it was revealed that the IRS's lack 
of multi-factor authentication led to a weakened cyber defense 
against bad actors.\16\ Later that month, on June 25, 2015, the 
Committee examined the missteps leading up to the OPM data 
breach.\17\
---------------------------------------------------------------------------
    \15\The IRS Data Breach: Steps to Protect Americans' Personal 
Information: Hearing Before the S. Comm. on Homeland Sec. & 
Governmental Affairs, 114th Cong. (2015); Under Attack: Federal 
Cybersecurity and the OPM Data Breach: Hearing Before the S. Comm. on 
Homeland Sec. & Governmental Affairs, 114th Cong. (2015).
    \16\The IRS Data Breach: Steps to Protect Americans' Personal 
Information: Hearing Before the S. Comm. on Homeland Sec. & 
Governmental Affairs, 114th Cong. (2015).
    \17\Under Attack: Federal Cybersecurity and the OPM Data Breach: 
Hearing Before the S. Comm. on Homeland Sec. & Governmental Affairs, 
114th Cong. (2015).
---------------------------------------------------------------------------
    S. 1869 seeks to reduce and mitigate future breaches at 
Federal agencies through its requirements for cybersecurity 
best practices and authorization and mandated application and 
acceleration of the EINSTEIN program. This bill addresses those 
agency failures by mandating cybersecurity best practices such 
as encryption, multi-factor authentication, and stronger access 
controls. Further, S. 1869 requires OMB and DHS to develop a 
government-wide intrusion assessment to root out and eliminate 
intruders already in government networks.
    By authorizing the Department's intrusion detection and 
intrusion prevention system today operationally implemented 
under the EINSTEIN programs, S. 1869 will also further enable 
the Federal Government to detect and block malicious activity 
on agencies' networks. This bill for the first time would 
require the system to be available to all agencies. This bill 
would clear legal and other hurdles to deploying EINSTEIN and 
mandate that civilian agencies implement it within one year. 
Crucially, S. 1869 would also require that DHS make significant 
improvements to EINSTEIN to include, among other things, non-
signature based detection technologies, like heuristic and 
behavior-based detection technologies. Current reliance on 
decades old signature-based detection technology limits the 
effectiveness of EINSTEIN against advanced persistent threats. 
The legislation would require DHS to regularly deploy new 
technologies and modify existing technologies for the system 
and to assess and use commercial and non-commercial 
technologies to improve detection and prevention capabilities. 
In furtherance of improving EINSTEIN, S. 1869 would authorize a 
pilot program so DHS can quickly deploy and test new or 
improved detection and prevention technologies, and mandates 
that agencies adopt improvements within six months after DHS 
makes them available.
    While an intrusion detection and prevention system can 
provide much needed protections against cyber-attacks, it alone 
is insufficient to protect government data. As the cyber threat 
is constantly evolving, EINSTEIN must be complemented with 
current cybersecurity best practices. The bill would also give 
the Secretary of DHS the authority, in response to a known or 
reasonably suspected cyber threat, to issue an emergency 
directive to the head of another agency to take lawful action 
to protect their Federal information systems. The bill further 
would authorize the Secretary to use protective capabilities 
under the control of the Secretary to address an imminent 
threat against a civilian agency information system if an 
emergency directive action is not reasonably likely to result 
in a timely response to a cyber threat.
    Finally, the bill would require substantial privacy 
protections, robust reporting requirements, and a sunset so 
Congress can ensure that the Federal Cybersecurity Enhancement 
Act works as intended and agencies carry out their 
responsibilities effectively.

                        III. Legislative History

    On July 27, 2015, Ranking Member Tom Carper and Chairman 
Ron Johnson introduced S. 1869, the Federal Cybersecurity 
Enhancement Act of 2015, which was referred to the Committee on 
Homeland Security and Governmental Affairs.
    The Committee considered S. 1869 at a business meeting on 
July 29, 2015. Senator Rand Paul offered an amendment to 
clarify that the liability protections afforded in the bill did 
not extend to a situation in which an Internet Service Provider 
breaks a user agreement with its customer.
    An additional amendment offered by Senator Paul added data 
to a reporting requirement from the Secretary, namely the 
number of individuals whose information was not related to a 
cybersecurity risk but was nevertheless retained by EINSTEIN.
    Senators Kelly Ayotte and Claire McCaskill offered a 
modified amendment to require the Secretary to ensure that 
EINSTEIN is necessary to protect information systems from cyber 
threats, that DHS will only keep information related to 
cyberattacks, and that users of the system are notified that 
EINSTEIN could be used. The amendment also required the 
Attorney General to review policies and procedures governing 
access to information under EINSTEIN within one year.
    Senators Ayotte, McCaskill, Johnson, and Carper also 
offered a modified amendment to provide the Secretary with 
expanded authority to issue directives to agencies, in 
coordination with OMB, to mitigate substantial cybersecurity 
threats, implement those measures if the threat is imminent and 
the directive is not reasonably likely to result in a timely 
response, and require DHS to report to Congress annually 
regarding the Secretary's implementation of this amendment.
    Senator Ben Sasse offered a modified amendment to require 
the DNI to submit a report to Congress identifying unclassified 
information systems that, when combined, could comprise 
classified information, and assessing the risk associated with 
potential breaches of such systems.
    Senator Sasse also offered a modified amendment to require 
DHS to conduct a damage assessment on the OPM data breaches and 
report to Congress within 180 days. This includes an assessment 
of what data was compromised or changed, the impact on national 
security, and an analysis of whether any of the data stolen has 
been leaked.
    The Committee adopted all six amendments by voice vote. 
Senators present for the voice vote on the amendments were: 
Johnson, Portman, Lankford, Ernst, Sasse, Carper, Baldwin, 
Heitkamp, and Peters. The Committee favorably reported the 
bill, as amended, on a roll call vote of nine yeas to zero 
nays. Senators present and voting in the affirmative were 
Johnson, Portman, Lankford, Ernst, Sasse, Carper, Baldwin, 
Heitkamp, and Peters. Senators voting in the affirmative by 
proxy and for the record only were McCain, Enzi, Ayotte, 
McCaskill, Tester, and Booker. No Senators voted in the 
negative.
    S. 1869 was included in H.R. 2029, the Consolidated 
Appropriations Act of 2016, which was signed into law by 
President Obama on December 18, 2015, as Public Law Number 114-
113.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1. Short title

    This section provides the bill's short title, the ``Federal 
Cybersecurity Enhancement Act of 2015.''

Section 2. Definitions

    This section defines several terms, including ``agency,'' 
``agency information system,'' ``appropriate congressional 
committees,'' ``cybersecurity risk,'' ``information system,'' 
``Director,'' ``intelligence community,'' and ``Secretary.''

Section 3. Improved Federal network security

    Section 3(a) amends Title II of the Homeland Security Act 
of 2002 to add a new section (Sec. 228) on ``Cybersecurity 
Plans.''
          Subsection (a) of the new section 228 of the Homeland 
        Security Act of 2002, as redesignated, provides 
        definitions for the following terms: ``agency 
        information system,'' ``cybersecurity risk,'' 
        ``information sharing,'' and ``intelligence 
        community.''
          Subsection (b) of the new section requires the 
        Secretary, in coordination with the Director of OMB, to 
        develop and implement an intrusion assessment plan for 
        all Federal agencies' information systems except that 
        of the Department of Defense. The intrusion assessment 
        plan should provide a continuous mechanism to detect, 
        isolate, and eradicate current and past threats in 
        Federal agencies' information systems and complements 
        other security controls.
    Section 3(a) further amends Title II of the Homeland 
Security Act of 2002 to add a new section 230 on ``Federal 
Intrusion Detection and Prevention System,'' which authorizes 
the Department's existing signature-based network intrusion 
detection and prevention system, operationally known as 
EINSTEIN, with required improvements to the program's 
capabilities, cost-effectiveness, deployment schedule, and 
privacy protections.
          Subsection (a) of the new section 230 provides 
        definitions for the following terms: ``agency,'' 
        ``agency information,'' ``agency information system,'' 
        ``cybersecurity risk,'' and ``information system.''
          Subsection (b) of the new section authorizes the 
        Department's intrusion detection and prevention system, 
        by requiring the Secretary to deploy, operate, and 
        maintain an intrusion detection capability 
        (operationally known as EINSTEIN 1 and 2) and an 
        intrusion prevention capability (operationally known as 
        EINSTEIN 3A). In addition, the subsection authorizes 
        and requires expansion of the existing EINSTEIN 
        capabilities through the addition of new technologies 
        and modification of existing technologies to improve 
        those capabilities. The capabilities authorized in 
        subsection (b) apply to network traffic that is 
        transiting within an agency information system, to 
        network traffic that is traveling to an agency 
        information system, and to traffic that is traveling 
        from an agency information system.
          Subsection (c)(1) of the new section provides an 
        authorization for DHS to deploy EINSTEIN on agencies 
        network traffic, and for other agencies to allow 
        deployment of the system on their network traffic, 
        notwithstanding any other statute. A key limitation in 
        previous efforts to deploy the EINSTEIN program, for 
        example, has been statutes that restrict or prevent 
        disclosure of certain types of information such as, 
        statistical, proprietary, tax, and health data. 
        Subsection (c)(1) provides that for the purpose of 
        deploying EINSTEIN in its various current and future 
        iterations, such laws do not apply. The Secretary and 
        agencies with sensitive data are expected to confer 
        regarding the sensitivity of, and statutory protections 
        otherwise applicable to, information on agency 
        information systems. The Secretary is expected to 
        ensure that the policies and procedures developed under 
        this section appropriately restrict and limit 
        Department access, use, retention, and handling of such 
        information to protect the privacy and confidentiality 
        of such information, including ensuring that the 
        Department protects such sensitive data from 
        disclosure, and trains appropriate staff accordingly.
          Subsection (c)(2)-(7) of the new section sets forth 
        several authorities and requirements for the operation 
        of the EINSTEIN intrusion detection and prevention 
        system and other activities the Secretary may undertake 
        to enhance federal agency cybersecurity. Specifically, 
        the subsection authorizes the Secretary to contract 
        with other entities in deploying, operating, and 
        maintaining the intrusion detection capability. The 
        Secretary is provided with authorities to improve 
        EINSTEIN and is required to regularly assess and 
        utilize advanced protective technologies in EINSTEIN 
        and non-signature based detection such as heuristic and 
        behavior-based detection technologies. A pilot program 
        is created to enable fast acquisition, testing, and 
        deployment of such advanced protective technologies. 
        The Department of Defense's SHARKSEER program, for 
        example, rapidly acquires and integrates advanced 
        commercial cybersecurity technology for detecting 
        intrusions and malware for which signatures are not 
        already known and may possibly serve as a model for the 
        DHS operated intrusion detection and prevention system. 
        Finally, appropriate privacy protections for EINSTEIN 
        are provided, including: authorization to use, retain 
        and disclose data derived from the intrusion detection 
        and prevention capability only for protection from 
        cybersecurity risks; periodic updates to privacy impact 
        assessments; notice to users of the potential access by 
        EINSTEIN; and policies and procedures implementing 
        these requirements.
          Subsection (d) of the new section includes privacy 
        protections related to contractors offering EINSTEIN 
        services, such as internet service providers. 
        Contractors are prohibited from inappropriately using 
        or disclosing information received through EINSTEIN to 
        entities other than DHS or the affected agency. Private 
        entities are immune from liability for their assistance 
        to the Secretary in deploying, operating, and 
        maintaining EINSTEIN in accordance with the Act. 
        However, paragraph (3) clarifies that this protection 
        does not extend to internet service providers' 
        violations of their terms of service with their 
        customers.
          Subsection (e) of the new section requires the 
        Attorney General to review the policies and guidelines 
        for EINSTEIN to ensure they are consistent with 
        applicable laws.
    Section 3(b) of the bill requires the Director of OMB and 
the Secretary to review and update government-wide policies and 
programs to ensure appropriate use of network security 
monitoring tools. This section also requires OMB and the 
Secretary to brief Congress on these efforts.
    Section 3(c) requires that within one year agencies 
implement all EINSTEIN intrusion detection and intrusion 
prevention capabilities on all data traveling between an agency 
information system and any information system other than an 
agency information system, or two months after which it is made 
available, whichever is later. Similarly, this subsection 
requires agencies to deploy any improvements to EINSTEIN, such 
as new detection or prevention technologies, within six months 
after they are made available. This subsection does not apply 
to the Department of Defense or the intelligence community. 
Because this subsection relies on the definition of ``agency 
information system'' in Section 228 of the Homeland Security 
Act of 2002, as redesignated by this bill, it would not require 
deployment of EINSTEIN between two agency information systems, 
or an agency information system and an information system 
operated by a contractor to the agency. If the definition of 
``agency information system'' was constrained to mean only 
information systems owned or operated by an agency, the 
EINSTEIN requirement would apply to network traffic between an 
agency owned information system and a contractor owned 
information system.
    Section 3(d) updates the table of contents of the Homeland 
Security Act of 2002 to reflect changes made by this bill.

Section 4. Advanced internal defenses

    This section refers to the Department's Continuous 
Diagnostics and Mitigation (CDM) program authorized under 44 
U.S.C. 3553(b)(6)(B). It requires the Secretary to include in 
CDM advanced network security tools for improving continuous 
monitoring of agency networks. This includes using best 
practices to improve lateral security within agency networks 
such as the use of micro segmentation to mitigate cyber-
attacks, as well as developing metrics to measure security 
effectiveness with regard to intrusion and incident detection 
and response times. To increase transparency and 
accountability, the Secretary is required to implement a plan 
and share the agencies' metrics for intrusion detection and 
response times with the public to the extent practicable.

Section 5. Federal cybersecurity best practices

    This section requires the Secretary, in consultation with 
OMB, to regularly assess and implement best practices across 
all Federal agencies to continuously identify intrusions and 
prevent data exfiltration. In addition, it prescribes specific 
security requirements to be implemented within one year at all 
Federal agencies. These requirements are informed by recent 
data breaches at Federal agencies. Specifically, all Federal 
agencies must identify sensitive and mission-critical data, 
assess the access controls to the sensitive data including 
whether there is a need to store the data digitally at all or 
in a networked environment, and encrypt the data in order to 
protect it. This section also requires that agencies that allow 
users to logon to their websites utilize the General Services 
Administration's Connect.gov platform. This platform implements 
the National Strategy for Trusted Identities in Cyberspace by 
creating a single sign-on across Federal agency websites. 
Finally the section requires agencies to use multi-factor 
authentication for remote access to agency information and 
logons by privileged users. This section does not apply to the 
Department of Defense or the intelligence community.
    The Department should leverage the benefits of emerging 
cybersecurity technologies that shift from a perimeter 
protection paradigm to an automated policy-based approach where 
the protection can be implemented at a more granular level 
within the enterprise infrastructure. Such emerging 
technologies may include the use of multi-factor 
authentication, network segmentation, real-time monitoring, and 
proactive management of compliance using configuration 
management for software patching, event logging, and other 
advanced security measures to achieve trusted security in the 
infrastructure.

Section 6. Assessments; reports

    This section requires the Government Accountability Office 
(GAO) to assess and report on the effectiveness of the EINSTEIN 
program within three years of enactment. In addition, the 
Secretary must report on the status of the development of 
intrusion detection and prevention capabilities within six 
months of enactment and annually thereafter. This section also 
requires two reports from OMB: a report that analyzes Federal 
agency application of intrusion detection and prevention 
capabilities (which shall be included in OMB's annual 
interagency report under the Federal Information Security 
Management Act, as amended), and an annual report on the update 
of the intrusion assessment plan and best practices. In 
addition, it requires OMB to submit the intrusion assessment 
plan to Congress within six months of enactment.

Section 7. Termination

    This section sunsets section 230 of the Homeland Security 
Act of 2002, authorizing the EINSTEIN program, as well as all 
reporting requirements, seven years after enactment. However, 
the termination does not end the limitation on liability to 
private entities that assist with implementing this statute.

Section 8. Identification of unclassified information systems

    This section requires the DNI to work with all agencies to 
identify and assess unclassified information systems that when 
added to other unclassified information could pose a risk to 
classified information. The DNI is also required to report the 
findings to Congress. This section does not apply to the 
Department of Defense or the intelligence community.

Section 9. OPM data breach damage assessment

    This section requires the Secretary and the DNI to work 
together to assess the damage and risk related to the OPM data 
breach and provide an unclassified report to Congress within 
180 days of enactment.

Section 10. Direction to agencies

    This section allows the Secretary, after coordination with 
the OMB, and in response to a known or reasonably suspected 
information security threat, vulnerability or incident that 
represents a substantial threat to the information security of 
an agency, to issue a directive to an agency head to take 
specific action to protect an information system that the 
agency owns, operates, or benefits from to prevent or mitigate 
a security threat. DHS must submit a report each February 1 
regarding the Secretary's implementation of this paragraph. In 
addition, if there is an imminent threat to agency information 
systems and an emergency directive is not reasonably likely to 
result in a timely response to the threat, the Secretary may 
use any controls available to combat the threat without prior 
consultation with the affected agency. The Secretary must 
immediately notify OMB and the appropriate congressional 
committees of any action taken under this section. The 
authorities under this section may not be delegated below an 
Under Secretary for DHS.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this act and determined 
that the act will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the act contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments because this bill.

             VI. Congressional Budget Office Cost Estimate

                                                  January 15, 2016.
Hon. Ron Johnson,
Committee on Homeland Security and Governmental Affairs,
U.S. Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 1869, the Federal 
Cybersecurity Enhancement Act of 2015.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

S. 1869--Federal Cybersecurity Enhancement Act of 2015

    S. 1869 would require the Department of Homeland Security 
(DHS) to make available the tools and capabilities necessary to 
protect the federal government's digital infrastructure and 
information systems against cyber threats. The bill would 
further require all federal agencies (except the Department of 
Defense and elements of the intelligence community) to adopt 
those tools once available. With the recent enactment of the 
Consolidated Appropriations Act, 2016, DHS and all federal 
agencies are already required to perform the same activities as 
those required by S. 1869. One notable difference, though, is 
that the Consolidated Appropriations Act, 2016, authorized the 
Office of Management and Budget to waive the requirement that 
agencies implement certain cybersecurity measures if doing so 
would either be unnecessary to secure agency information 
systems or extremely burdensome. S. 1869 contains no such 
exception.
    Although CBO does not have enough information to provide a 
precise estimate of the costs of implementing S. 1869, the 
costs of eliminating an agency's ability to obtain a waiver 
from some of the bill's requirements could be significant. The 
extent of those costs would depend not only on the number of 
agencies that will receive waivers under current law, but also 
the degree to which those agencies can implement the 
protections required by the bill. For example, one requirement 
in both S. 1869 and the Consolidated Appropriations Act, 2016, 
is to encrypt data stored on or moving through agency 
information systems.
    Based on information from various agencies, CBO expects 
that data residing on some older or out-of-date information 
systems cannot be encrypted. Those systems would either have to 
be updated or replaced. Under current law, CBO expects that 
some agencies in that situation will receive a waiver allowing 
them time to develop plans to update or replace their current 
systems. Under S. 1869, those agencies would be required to 
implement all capabilities, including data encryption, on all 
information systems not later than one year after enactment. 
Having to accelerate those agencies' plans to update or replace 
those systems within one year could cost hundreds of millions 
of dollars over the 2016-2020 period, CBO estimates. Such 
spending would be subject to the availability of appropriated 
funds.
    S. 1869 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    Enacting S. 1869 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply. CBO 
estimates that enacting S. 1869 would not increase net direct 
spending or on-budget deficits in any of the four consecutive 
10-year periods beginning in 2026.
    The CBO staff contact for this estimate is William Ma. The 
estimate was approved by H. Samuel Papenfuss, Deputy Assistant 
Director for Budget Analysis.

       VII. Changes in Existing Law Made By The Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
S. 1869 as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

UNITED STATES CODE

           *       *       *       *       *       *       *


TITLE 44--PUBLIC PRINTING AND DOCUMENTS

           *       *       *       *       *       *       *


CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

           *       *       *       *       *       *       *



SEC. 3553. AUTHORITY AND FUNCTIONS OF THE DIRECTOR AND THE SECRETARY.

    (a) * * *

           *       *       *       *       *       *       *

    (h) Direction of the Agencies.--
          (1) Authority.--
                  (A) In general.--Not withstanding section 
                3554, and subject to subparagraph (B), in 
                response to a known or reasonably suspected 
                information security threat, vulnerability or 
                incident that represents a substantial threat 
                to the information security of an agency, the 
                Secretary may issue a directive to the head of 
                an agency to take any lawful action with 
                respect to the operation of the information 
                system, including such systems owned or 
                operated by another entity on behalf of an 
                agency, that collects, processes, stores, 
                transmits, disseminates, or otherwise maintains 
                agency information, for the purpose of 
                protecting the information system from, or 
                mitigating, an information security threat.
                  (B) Exception.--The authorities of the 
                Secretary under this subsection shall not apply 
                to a system described in paragraph (2) or (3) 
                of subsection (e).
          (2) Procedures for use of authority.--The Secretary 
        shall--
                  (A) in coordination with the Director, 
                establish procedures governing the 
                circumstances under which a directive may be 
                issued under this subsection, which shall 
                include--
                          (i) thresholds and other criteria;
                          (ii) privacy and civil liberties 
                        protections; and
                          (iii) providing notice to potentially 
                        affected third parties;
                  (B) specify the reasons for the required 
                action and the duration of the directive;
                  (C) minimize the impact of a directive under 
                this subsection by--
                          (i) adopting the least intrusive 
                        means possible under the circumstances 
                        to secure the agency information 
                        systems; and
                          (ii) limiting directives to the 
                        shortest period practicable;
                  (D) notify the Director and the head of any 
                affected agency immediately upon the issuance 
                of a directive under this subsection; and
                  (E) not later than February 1 of each year, 
                submit to the appropriate congressional 
                committees a report regarding the specific 
                actions the Secretary has taken pursuant to 
                paragraph (1)(A).
          (3) Imminent threats.--
                  (A) In general.--If the Secretary determines 
                that there is an imminent threat to agency 
                information systems and a directive under this 
                subsection is not reasonably likely to result 
                in a timely response to the threat, the 
                Secretary may authorize the use of protective 
                capabilities under the control of the Secretary 
                for communications or other system traffic 
                transiting to or from or stored on an agency 
                information system without prior consultation 
                with the affected agency for the purpose of 
                ensuring the security of the information or 
                information system or other agency information 
                systems.
                  (B) Notice.--The Secretary shall immediately 
                notify the Director, the head and chief 
                information officer (or equivalent official) of 
                each agency to which specific actions were 
                taken pursuant to subparagraph (A), and the 
                appropriate congressional committees and 
                authorizing committees of each such agencies 
                of--
                          (i) any action taken under 
                        subparagraph (A); and
                          (ii) the reasons for and duration and 
                        nature of the action.
                  (C) Other law.--Any action of the Secretary 
                under this paragraph shall be consistent with 
                applicable law.
                  (D) Limitation of delegation.--The authority 
                under this paragraph may not be delegated to an 
                official in a position lower than an Under 
                Secretary of the Department of Homeland 
                Security.
          (4) Limitation.--The Secretary may direct or 
        authorize lawful action or protective capability under 
        this subsection only to--
                  (A) protect agency information from 
                unauthorized access, use, disclosure, 
                disruption, modification, or destruction; or
                  (B) require the remediation of or protect 
                against identified information security risks 
                with respect to--
                          (i) information collected or 
                        maintained by or on behalf of an 
                        agency; or
                          (ii) that portion of an information 
                        system used or operated by an agency or 
                        by a contractor of an agency or other 
                        organization on behalf of an agency.
    (i) Annual Report to Congress.--Not later than February 1 
of each year, the Director shall submit to the appropriate 
congressional committees a report regarding the specific 
actions the Director has taken pursuant to subsection (a)(5), 
including any actions taken pursuant to section 11303(b)(5) of 
title 40.
    (j) Appropriate Congressional Committees.--In this section, 
the term `appropriate congressional committees' means--
          (1) the Committee on Appropriations and the Committee 
        on Homeland Security and Governmental Affairs of the 
        Senate; and
          (2) the Committee on Appropriations and the Committee 
        on Homeland Security of the House of Representatives.

           *       *       *       *       *       *       *


HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *



TITLE II--INFORMATION ANALYSIS AND INFRASTRUCTURE PROTECTION

           *       *       *       *       *       *       *


                    Subtitle C--Information Security

Sec. 226. Cybersecurity recruitment and retention.
Sec. 227. National cybersecurity and communications integration center.
Sec. 228. Cybersecurity plans.
Sec. 229. Clearances.
Sec. 230. Federal intrusion detection and prevention system.

[SEC. 227. CYBER INCIDENT RESPONSE PLAN.

    [The Under Secretary appointed under section 103(a)(1)(H) 
shall, in coordination with appropriate Federal departments and 
agencies, State and local governments, sector coordinating 
councils, information sharing and analysis organizations (as 
defined in section 212(5)), owners and operators of critical 
infrastructure, and other appropriate entities and individuals, 
develop, regularly update, maintain, and exercise adaptable 
cyber incident response plans to address cybersecurity risks 
(as defined in section 226) to critical infrastructure.]

           *       *       *       *       *       *       *


SEC. [228] 229. CLEARANCES.

           *       *       *       *       *       *       *


SEC. 228. CYBERSECURITY PLANS.

    (a) Definitions.--In this section--
          (1) the term ``agency information system'' means an 
        information system used or operated by an agency, by a 
        contractor of an agency, or by another entity on behalf 
        of an agency;
          (2) the terms ``cybersecurity risk'' and 
        ``information system'' have the meanings given those 
        terms in section 227; and
          (3) the term ``intelligence community'' has the 
        meaning given the term in section 3(4) of the National 
        Security Act of 1947 (50 U.S.C. 3003(4)).
    (b) Intrusion Assessment Plan.--
          (1) Requirement.--The Secretary, in coordination with 
        the Director of the Office of Management and Budget, 
        shall develop and implement an intrusion assessment 
        plan to identify and remove intruders in agency 
        information systems on a routine basis.
          (2) Exception.--The intrusion assessment plan 
        required under paragraph (1) shall not apply to the 
        Department of Defense or an element of the intelligence 
        community.
    (c) Cyber Incident Response Plan.--The Under Secretary 
appointed under section 103(a)(1)(H) shall, in coordination 
with appropriate Federal departments and agencies, State and 
local governments, sector coordinating councils, information 
sharing and analysis organizations (as defined in section 
212(5)), owners and operators of critical infrastructure, and 
other appropriate entities and individuals, develop, regularly 
update, maintain, and exercise adaptable cyber incident 
response plans to address cybersecurity risks (as defined in 
section 227) to critical infrastructure.

           *       *       *       *       *       *       *


SEC. 230. FEDERAL INTRUSION DETECTION AND PREVENTION SYSTEM.

    (a) Definitions.--In this section--
          (1) the term `agency' has the meaning given that term 
        in section 3502 of title 44, United States Code;
          (2) the term `agency information' means information 
        collected or maintained by or on behalf of an agency;
          (3) the term `agency information system' has the 
        meaning given the term in section 228; and
          (4) the terms `cybersecurity risk' and `information 
        system' have the meanings given those terms in section 
        227.
    (b) Requirement.--
          (1) In general.--Not later than 1 year after the date 
        of enactment of this section, the Secretary shall 
        deploy, operate, and maintain, to make available for 
        use by any agency, with or without reimbursement--
                  (A) a capability to detect cybersecurity 
                risks in network traffic transiting or 
                traveling to or from an agency information 
                system; and
                  (B) a capability to prevent network traffic 
                associated with such cybersecurity risks from 
                transiting or traveling to or from an agency 
                information system or modify such network 
                traffic to remove the cybersecurity risk.
          (2) Regular improvement.--The Secretary shall 
        regularly deploy new technologies and modify existing 
        technologies to the intrusion detection and prevention 
        capabilities described in paragraph (1) as appropriate 
        to improve the intrusion detection and prevention 
        capabilities.
    (c) Activities.--In carrying out subsection (b), the 
Secretary--
          (1) may access, and the head of an agency may 
        disclose to the Secretary or a private entity providing 
        assistance to the Secretary under paragraph (2), 
        information transiting or traveling to or from an 
        agency information system, regardless of the location 
        from which the Secretary or a private entity providing 
        assistance to the Secretary under paragraph (2) 
        accesses such information, notwithstanding any other 
        provision of law that would otherwise restrict or 
        prevent the head of an agency from disclosing such 
        information to the Secretary or a private entity 
        providing assistance to the Secretary under paragraph 
        (2);
          (2) may enter into contracts or other agreements 
        with, or otherwise request and obtain the assistance 
        of, private entities to deploy and operate technologies 
        in accordance with subsection (b);
          (3) may retain, use, and disclose information 
        obtained through the conduct of activities authorized 
        under this section only to protect information and 
        information systems from cybersecurity risks;
          (4) shall regularly assess through operational test 
        and evaluation in real world or simulated environments 
        available advanced protective technologies to improve 
        detection and prevention capabilities, including 
        commercial and non-commercial technologies and 
        detection technologies beyond signature-based 
        detection, and utilize such technologies when 
        appropriate;
          (5) shall establish a pilot to acquire, test, and 
        deploy, as rapidly as possible, technologies described 
        in paragraph (4); and
          (6) shall periodically update the privacy impact 
        assessment required under section 208(b) of the E 
        Government Act of 2002 (44 U.S.C. 3501 note); and
          (7) shall ensure that--
                  (A) activities carried out under this section 
                are reasonably necessary for the purpose of 
                protecting agency information and agency 
                information systems from a cybersecurity risk;
                  (B) information accessed by the Secretary 
                will be retained no longer than reasonably 
                necessary for the purpose of protecting agency 
                information and agency information systems from 
                a cybersecurity risk;
                  (C) notice has been provided to users of an 
                agency information system concerning access to 
                communications of users of the agency 
                information system for the purpose of 
                protecting agency information and the agency 
                information system; and
                  (D) the activities are implemented pursuant 
                to policies and procedures governing the 
                operation of the intrusion detection and 
                prevention capabilities.
    (d) Private Entities.--
          (1) Conditions.--A private entity described in 
        subsection (c)(2) may not--
                  (A) disclose any network traffic transiting 
                or traveling to or from an agency information 
                system to any entity other than the Department 
                or the agency that disclosed the information 
                under subsection (c)(1); or
                  (B) use any network traffic transiting or 
                traveling to or from an agency information 
                system to which the private entity gains access 
                in accordance with this section for any purpose 
                other than to protect agency information and 
                agency information systems against 
                cybersecurity risks or to administer a contract 
                or other agreement entered into pursuant to 
                subsection (c)(2) or as part of another 
                contract with the Secretary.
          (2) Limitation of liability.--No cause of action 
        shall lie in any court against a private entity for 
        assistance provided to the Secretary in accordance with 
        this section and any contract or agreement entered into 
        pursuant to subsection (c)(2).
          (3) Rule of construction.--Nothing in paragraph (2) 
        shall be construed to authorize an Internet service 
        provider to break a user agreement with a customer.
    (e) Attorney General Review.--Not later than 1 year after 
the date of enactment of this section, the Attorney General 
shall review the policies and guidelines for the program 
carried out under this section to ensure that the policies and 
guidelines are consistent with applicable law governing the 
acquisition, interception, retention, use, and disclosure of 
communications.

                                  [all]