[Senate Report 115-322]
[From the U.S. Government Publishing Office]
Calendar No. 556
115th Congress } { Report
SENATE
2d Session } { 115-322
_______________________________________________________________________
STB INFORMATION SECURITY IMPROVEMENT ACT
__________
R E P O R T
of the
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 2844
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
August 16, 2018.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
79-010 WASHINGTON : 2018
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred fifteenth congress
second session
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida
ROY BLUNT, Missouri MARIA CANTWELL, Washington
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD J. MARKEY, Massachusetts
DEAN HELLER, Nevada TOM UDALL, New Mexico
JAMES M. INHOFE, Oklahoma GARY C. PETERS, Michigan
MIKE LEE, Utah TAMMY BALDWIN, Wisconsin
RON JOHNSON, Wisconsin TAMMY DUCKWORTH, Illinois
SHELLEY MOORE CAPITO, West Virginia MARGARETWOODHASSAN,NewHampshire
CORY GARDNER, Colorado CATHERINE CORTEZ MASTO, Nevada
TODD C. YOUNG, Indiana JON TESTER, Montana
Nick Rossi, Staff Director
Adrian Arnakis, Deputy Staff Director
Jason Van Beek, General Counsel
Kim Lipsky, Democratic Staff Director
Christopher Day, Democratic Deputy Staff Director
Calendar No. 556
115th Congress } { Report
SENATE
2d Session } { 115-322
======================================================================
STB INFORMATION SECURITY IMPROVEMENT ACT
_______
August 16, 2018.--Ordered to be printed
_______
Mr. Thune, from the Committee on Commerce, Science, and Transportation,
submitted the following
R E P O R T
[To accompany S. 2844]
[Including cost estimate of the Congressional Budget Office]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 2844) to require the Surface
Transportation Board to implement certain recommendations of
the Inspector General of the Department of Transportation,
having considered the same, reports favorably thereon without
amendment and recommends that the bill do pass.
Purpose of the Bill
The purpose of S. 2844 is to improve the information
security program of the Surface Transportation Board (STB) by
requiring it to develop a timeline and plan to implement
information security recommendations from the Department of
Transportation Office of Inspector General (DOT OIG).
Background and Needs
As the Federal agency charged with economic oversight of
the Nation's freight rail system, STB is a five-member,
bipartisan agency that has regulatory jurisdiction over
railroad rate reasonableness, mergers, line acquisitions, new
rail-line construction, abandonments of existing rail lines,
and the conversion of rail rights-of-way into hiking and biking
trails.
In 2015, Congress passed the STB Reauthorization Act (P.L.
114-110), reauthorizing STB for the first time since the
agency's creation. Prior to reauthorization, STB was
decisionally independent, but administratively housed within
DOT.\1\ The STB Reauthorization Act established STB as an
independent agency outside of DOT. As a stand-alone agency, STB
became responsible for its administrative functions, including
maintaining its own information security program.
---------------------------------------------------------------------------
\1\Section 9 of the STB Reauthorization Act authorized the DOT OIG
to review financial management, property management, and business
operations of STB.
---------------------------------------------------------------------------
The Federal Information Security Management Act of 2002
(FISMA) (P.L. 107-347), as amended by the Federal Information
Security Modernization Act of 2014 (P.L. 113-283), requires
agencies to implement information security programs. FISMA also
requires agencies to have an annual independent evaluation
performed to determine the effectiveness of their programs and
to report the results of these reviews to the Office of
Management and Budget. Agencies that do not have inspectors
general, such as STB, must use an external independent auditor
to evaluate their information security programs. To perform its
2017 FISMA evaluation, STB entered into a memorandum of
understanding with DOT OIG.
Pursuant to this agreement, DOT OIG conducted an
independent evaluation of STB's information security programs
and, on October 26, 2017, released its findings in a report
entitled, ``The Surface Transportation Board's Information
Security Program Is Not Effective.''\2\ The report, which
concluded that STB's information security program is
ineffective, included 14 recommendations to assist STB in
developing an effective information security program. On
November 21, 2017, STB submitted to DOT OIG a letter outlining
the agency's proposed completion dates for each of the 14 DOT
OIG recommendations, indicating that all recommendations should
be implemented by December 31, 2018.
---------------------------------------------------------------------------
\2\Department of Transportation Office of Inspector General. The
Surface Transportation Board's Information Security Program Is Not
Effective. Report No. FI2018002. October 26, 2017. (https://
www.oig.dot.gov/library-item/36067)
---------------------------------------------------------------------------
The STB Information Security Improvement Act would require
STB to develop a timeline and plan for implementing the DOT OIG
recommendations. The bill also would require STB to submit,
within 180 days of enactment, its timeline and plan to the
Committee on Commerce, Science, and Transportation of the
Senate and the Committee on Transportation and Infrastructure
of the House of Representatives. Finally, the bill would
require STB to submit annual updates on its progress until it
has fully implemented DOT OIG's recommendations.
Summary of Provisions
If enacted, S. 2844 would do the following:
Direct STB to develop a timeline and plan to
implement the recommendations of DOT OIG's report number
FI2018002 in order to improve the agency's information
security.
Require STB to submit its timeline and plan for
implementing the DOT OIG recommendations to the relevant
congressional committees.
Require STB to submit annual updates on its
implementation progress until it has fully implemented the DOT
OIG recommendations.
Legislative History
S. 2844 was introduced on May 15, 2018, by Senator Thune
and was referred to the Committee on Commerce, Science, and
Transportation of the Senate. On May 22, 2018, the Committee
met in open Executive Session and, by voice vote, ordered S.
2844 reported favorably without amendment.
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
S. 2844--STB Information Security Improvement Act
S. 2844 would require the Surface Transportation Board
(STB) to develop a plan to comply with recommendations made by
the Department of Transportation's inspector general regarding
its information security system. The bill would require the STB
to report annually to the Congress on the status of its
compliance with the inspector general's report.
Under current law, CBO expects that the STB will implement
the inspector general's recommendations regarding its
information security system. The agency has already hired an
employee to manage and implement the plan. As a result, CBO
estimates that implementing the provisions of S. 2844 would
have no significant effect on the federal budget over the 2019-
2023 period.
Enacting S. 2844 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting S. 2844 would not increase net
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
S. 2844 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
On March 20, 2018, CBO transmitted a cost estimate for H.R.
4921, the STB Information Security Improvement Act, as ordered
reported by the House Committee on Transportation and
Infrastructure on February 14, 2018. The two pieces of
legislation are similar and CBO's estimate of their budgetary
effects are the same.
The CBO staff contact for this estimate is Sarah Puro. The
estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant
Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
NUMBER OF PERSONS COVERED
S. 2844, as reported, does not create any new programs or
impose any new regulatory requirements and therefore would not
subject any individuals or businesses to new regulations.
ECONOMIC IMPACT
S. 2844, as reported, is not expected to have a negative
impact on the Nation's economy.
PRIVACY
S. 2844, as reported, is not expected to have an adverse
impact on the personal privacy of individuals. Section 2 would
require STB to implement recommendations of the DOT OIG to
improve its information security program to provide additional
protection for information managed by the agency. This should
further ensure the privacy of data and records controlled and
maintained by STB.
PAPERWORK
S. 2844, as reported, would only incrementally affect
paperwork requirements for STB. Section 2 would require STB to
develop a timeline and plan for improving its information
security program and to submit such information to Congress.
STB further would be required to report annually on its
implementation progress until the DOT OIG recommendations are
implemented. This reporting requirement is expected to result
in only a minimal increase in paperwork for STB until the date
of full implementation of the recommendations.
Congressionally Directed Spending
In compliance with paragraph 4(b) of rule XLIV of the
Standing Rules of the Senate, the Committee provides that no
provisions contained in the bill, as reported, meet the
definition of congressionally directed spending items under the
rule.
Section-by-Section Analysis
Section 1. Short title
This section would provide that the bill may be cited as
the ``STB Information Security Improvement Act.''
Section 2. Requirements
This section would require STB to develop a timeline and
plan to implement the recommendations of the DOT OIG report
number FI2018002, which would include improvements to identify,
protect, recover, and respond to controls for information
security. STB also would be required to submit its
implementation plan to Congress and to report annually on its
progress in implementing the plan until all DOT OIG
recommendations are closed.
Section 3. No additional funds authorized
This section would provide that no additional funds are
necessary to carry out the requirements of the bill.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the Committee states that the
bill as reported would make no change to existing law.
[all]