[House Report 115-622]
[From the U.S. Government Publishing Office]


115th Congress   }                                     {        Report
                        HOUSE OF REPRESENTATIVES
 2d Session      }                                     {       115-622

======================================================================



 
                STB INFORMATION SECURITY IMPROVEMENT ACT

                                _______
                                

 April 5, 2018.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

 Mr. Shuster, from the Committee on Transportation and Infrastructure, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 4921]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Transportation and Infrastructure, to whom 
was referred the bill (H.R. 4921) to require the Surface Board 
of Transportation to implement certain recommendations of the 
Inspector General of the Department of Transportation, having 
considered the same, report favorably thereon with amendments 
and recommend that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose of Legislation...........................................     2
Background and Need for Legislation..............................     2
Hearings.........................................................     3
Legislative History and Consideration............................     3
Committee Votes..................................................     3
Committee Oversight Findings.....................................     3
New Budget Authority and Tax Expenditures........................     3
Congressional Budget Office Cost Estimate........................     4
Performance Goals and Objectives.................................     5
Advisory of Earmarks.............................................     5
Duplication of Federal Programs..................................     5
Disclosure of Directed Rule Makings..............................     5
Federal Mandate Statement........................................     5
Preemption Clarification.........................................     5
Advisory Committee Statement.....................................     5
Applicability of Legislative Branch..............................     6
Section-by-Section Analysis of Legislation.......................     6
Changes in Existing Law Made by the Bill, as Reported............     6

    The amendments are as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``STB Information Security Improvement 
Act''.

SEC. 2. REQUIREMENTS.

  (a) In General.--The Surface Transportation Board (in this section 
referred to as the ``STB'') shall develop a timeline and plan to 
implement the recommendations of the Inspector General of the 
Department of Transportation in Report No. FI2018002, including 
improvements--
          (1) to identify controls, including risk management, weakness 
        remediation, and security authorization;
          (2) to protect controls, including configuration management, 
        user identity and access management, and security training;
          (3) to detect controls, including continuous monitoring;
          (4) to respond controls, including incident handling and 
        reporting;
          (5) to recover controls for contingency planning; and
          (6) any additional tools that will improve the implementation 
        of the recommendations.
  (b) Implementation.--
          (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the STB shall submit the plan and 
        timeline developed under subsection (a) to the Committee on 
        Transportation and Infrastructure of the House of 
        Representatives and the Committee on Commerce of the Senate.
          (2) Report.--The STB shall report annually to such Committees 
        on the progress on implementation of the recommendations until 
        the implementation is complete.
          (3) Plan implementation.--The STB shall designate an 
        individual to implement the plan developed under subsection 
        (a).

SEC. 3. NO ADDITIONAL FUNDS AUTHORIZED.

  No additional funds are authorized to carry out the requirements of 
this Act. Such requirements shall be carried out using amounts 
otherwise authorized.

    Amend the title so as to read:
    A bill to require the Surface Transportation Board to 
implement certain recommendations of the Inspector General of 
the Department of Transportation.

                         PURPOSE OF LEGISLATION

    H.R. 4921, the STB Information Security Improvement Act, 
requires the Surface Transportation Board (STB) to develop a 
timeline and plan to modernize its information security 
program. The bill requires the STB to implement recommendations 
from the Department of Transportation Inspector General (DOT 
IG) Report Number FI2018002.

                  BACKGROUND AND NEED FOR LEGISLATION

    In October 2017, the DOT IG published a report that 
identified the STB's information security system to be at the 
Ad Hoc maturity level. The Ad Hoc maturity level means that 
policies, procedures, and strategy are not formalized and 
activities are performed in a reactive manner. The report 
outlined recommendations necessary for the STB to develop an 
effective information security program. The DOT IG's report 
made a series of recommendations to help STB improve its 
information security systems. The DOT IG outlined issues with 
the following:
    (1) STB's Identify controls--risk management, weakness 
remediation, and security authorization--were inadequate. STB 
did not have a risk management program and its process to 
reauthorize systems was inadequate.
    (2) STB's Protect controls--configuration management, user 
identity management, and security training--were inadequate. 
Policy and procedures did not cover software patch installation 
or parts of user identity management. Only 66 percent of STB 
employees completed 2017 security awareness training.
    (3) STB did not have policy for Detect controls--to 
identify cybersecurity incidents in an information security 
continuous monitoring program--and lacked a monitoring 
strategy.
    (4) STB's Respond controls--incident handling and 
reporting--were inadequate. The policy did not cover incident 
response planning and analysis. STB had not collaborated with 
DHS on incident response.
    (5) STB had not implemented Recover controls for 
contingency planning. STB lacked a plan for system recovery 
after emergency shutdowns, impact analysis, alternative sites, 
or data back-up
    As a result of its separation from DOT in December 2015, 
the STB gained full control over its information security 
program. With that control, a need to place security controls 
now resides within the STB. While the STB issued policies in 
May 2017 to create a cybersecurity program, the STB never 
completed its implementation, leaving its information security 
program encumbered by a number of weaknesses in five different 
function areas. Effective information security programs are 
necessary to ensure the STB can execute its mission safely and 
effectively. The STB must strive to improve information 
security systems to avoid an increasing risk of attack or 
compromise.

                                HEARINGS

    There were no hearings related to this legislation in the 
House.

                 LEGISLATIVE HISTORY AND CONSIDERATION

    On February 5, 2018, Representative Paul Mitchell (R-MI) 
introduced H.R. 4921, the STB Information Security Improvement 
Act. On February 14, 2018, the Committee on Transportation and 
Infrastructure met in open session to consider H.R. 4921. An 
amendment was offered in Committee by Representative Mitchell, 
which was adopted by voice vote. The amendment made technical 
corrections and added a recommendation from the DOT IG report. 
The Committee ordered H.R. 4921, as amended, reported favorably 
to the House by voice vote with a quorum present.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires each committee report to include the 
total number of votes cast for and against on each record vote 
on a motion to report and on any amendment offered to the 
measure or matter, and the names of those members voting for 
and against. There were no recorded votes associated with this 
bill.

                      COMMITTEE OVERSIGHT FINDINGS

    With respect to the requirements of clause 3(c)(1) of rule 
XIII of the Rules of the House of Representatives, the 
Committee's oversight findings and recommendations are 
reflected in this report.

               NEW BUDGET AUTHORITY AND TAX EXPENDITURES

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee adopts as its 
own the estimate of new budget authority, entitlement 
authority, or tax expenditures or revenues contained in the 
cost estimate prepared by the Director of the Congressional 
Budget Office pursuant to section 402 of the Congressional 
Budget Act of 1974, included below.

               CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

    With respect to the requirement of clause 3(c)(3) of rule 
XIII of the Rules of the House of Representatives and section 
402 of the Congressional Budget Act of 1974, the Committee has 
received the enclosed cost estimate for H.R. 4921, as amended, 
from the Director of the Congressional Budget Office:

                                     U.S. Congress,
                               Congressional Budget Office,
                                    Washington, DC, March 20, 2018.
Hon. Bill Shuster,
Chairman, Committee on Transportation and Infrastructure,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4921, the STB 
Information Security Improvement Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Sarah Puro.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 4921--STB Information Security Improvement Act

    H.R. 4921 would require the Surface Transportation Board 
(STB) to develop a plan to comply with recommendations made by 
the Department of Transportation's inspector general regarding 
its information security system. The bill would require the STB 
to report annually to the Congress on the status of its 
compliance with the inspector general's report.
    Under current law, CBO expects that the STB will implement 
the inspector general's recommendations regarding its 
information security system. The agency has already hired an 
employee to manage and implement the plan. As a result, CBO 
estimates that implementing the provisions of H.R. 4921 would 
have no significant effect on the federal budget over the 2018-
2022 period.
    Enacting H.R. 4921 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting H.R. 4921 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2028.
    H.R. 4921 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is Sarah Puro. The 
estimate was approved by H. Samuel Papenfuss, Deputy Assistant 
Director for Budget Analysis.

                    PERFORMANCE GOALS AND OBJECTIVES

    With respect to the requirement of clause 3(c)(4) of rule 
XIII of the Rules of the House of Representatives, the 
performance goals and objectives of this legislation are to 
ensure adequate information security at the STB. This bill, as 
amended, enhances cybersecurity by recommending specific 
measures the STB may take to improve information security.

                          ADVISORY OF EARMARKS

    Pursuant to clause 9 of rule XXI of the Rules of the House 
of Representatives, the Committee is required to include a list 
of congressional earmarks, limited tax benefits, or limited 
tariff benefits as defined in clause 9(e), 9(f), and 9(g) of 
rule XXI of the Rules of the House of Representatives. No 
provision in the bill, as amended, includes an earmark, limited 
tax benefit, or limited tariff benefit under clause 9(e), 9(f), 
or 9(g) of rule XXI.

                    DUPLICATION OF FEDERAL PROGRAMS

    Pursuant to section 3(g) of H. Res. 5, 114th Cong. (2015), 
the Committee finds that no provision of H.R. 4921, as amended, 
establishes or reauthorizes a program of the federal government 
known to be duplicative of another federal program, a program 
that was included in any report from the Government 
Accountability Office to Congress pursuant to section 21 of 
Public Law 111-139, or a program related to a program 
identified in the most recent Catalog of Federal Domestic 
Assistance.

                  DISCLOSURE OF DIRECTED RULE MAKINGS

    Pursuant to section 3(i) of H. Res. 5, 113th Cong. (2015), 
the Committee estimates that enacting H.R. 4921, as amended, 
does not specifically direct the completion of a specific rule 
making within the meaning of section 551 of title 5, United 
States Code.

                       FEDERAL MANDATE STATEMENT

    The Committee adopts as its own the estimate of federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act (Public Law 104-4).

                        PREEMPTION CLARIFICATION

    Section 423 of the Congressional Budget Act of 1974 
requires the report of any Committee on a bill or joint 
resolution to include a statement on the extent to which the 
bill or joint resolution is intended to preempt state, local, 
or tribal law. The Committee states that H.R. 4921, as amended, 
does not preempt any state, local, or tribal law. H.R. 4921, as 
amended, preserves the rights and permitting authorities of 
states.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act are created by this 
legislation, as amended.

                  APPLICABILITY OF LEGISLATIVE BRANCH

    The Committee finds that the legislation, as amended, does 
not relate to the terms and conditions of employment or access 
to public services or accommodations within the meaning of 
section 102(b)(3) of the Congressional Accountability Act 
(Public Law 104-1).

               SECTION-BY-SECTION ANALYSIS OF LEGISLATION

Section 1. Short title

    This section designates the short title of the bill as the 
``STB Information Security Improvement Act''.

Section 2. Requirements

    This section directs the STB to develop a timeline and plan 
to implement the recommendations from the DOT IG Report Number 
FI2018002.
    No later than 180 days after the date of enactment, the STB 
must submit the plan and timeline to Congress.
    The STB must annually update Congress on its implementation 
progress until it is completed.

Section 3. No additional funds authorized

    This section lays out that no additional funds are 
authorized to carry out the requirements of the bill.

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    H.R. 4921 makes no changes to existing law.

                                  [all]