[Senate Report 115-322] [From the U.S. Government Publishing Office] Calendar No. 556 115th Congress } { Report SENATE 2d Session } { 115-322 _______________________________________________________________________ STB INFORMATION SECURITY IMPROVEMENT ACT __________ R E P O R T of the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION on S. 2844 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] August 16, 2018.--Ordered to be printed ______ U.S. GOVERNMENT PUBLISHING OFFICE 79-010 WASHINGTON : 2018 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION one hundred fifteenth congress second session JOHN THUNE, South Dakota, Chairman ROGER F. WICKER, Mississippi BILL NELSON, Florida ROY BLUNT, Missouri MARIA CANTWELL, Washington TED CRUZ, Texas AMY KLOBUCHAR, Minnesota DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii DAN SULLIVAN, Alaska EDWARD J. MARKEY, Massachusetts DEAN HELLER, Nevada TOM UDALL, New Mexico JAMES M. INHOFE, Oklahoma GARY C. PETERS, Michigan MIKE LEE, Utah TAMMY BALDWIN, Wisconsin RON JOHNSON, Wisconsin TAMMY DUCKWORTH, Illinois SHELLEY MOORE CAPITO, West Virginia MARGARETWOODHASSAN,NewHampshire CORY GARDNER, Colorado CATHERINE CORTEZ MASTO, Nevada TODD C. YOUNG, Indiana JON TESTER, Montana Nick Rossi, Staff Director Adrian Arnakis, Deputy Staff Director Jason Van Beek, General Counsel Kim Lipsky, Democratic Staff Director Christopher Day, Democratic Deputy Staff Director Calendar No. 556 115th Congress } { Report SENATE 2d Session } { 115-322 ====================================================================== STB INFORMATION SECURITY IMPROVEMENT ACT _______ August 16, 2018.--Ordered to be printed _______ Mr. Thune, from the Committee on Commerce, Science, and Transportation, submitted the following R E P O R T [To accompany S. 2844] [Including cost estimate of the Congressional Budget Office] The Committee on Commerce, Science, and Transportation, to which was referred the bill (S. 2844) to require the Surface Transportation Board to implement certain recommendations of the Inspector General of the Department of Transportation, having considered the same, reports favorably thereon without amendment and recommends that the bill do pass. Purpose of the Bill The purpose of S. 2844 is to improve the information security program of the Surface Transportation Board (STB) by requiring it to develop a timeline and plan to implement information security recommendations from the Department of Transportation Office of Inspector General (DOT OIG). Background and Needs As the Federal agency charged with economic oversight of the Nation's freight rail system, STB is a five-member, bipartisan agency that has regulatory jurisdiction over railroad rate reasonableness, mergers, line acquisitions, new rail-line construction, abandonments of existing rail lines, and the conversion of rail rights-of-way into hiking and biking trails. In 2015, Congress passed the STB Reauthorization Act (P.L. 114-110), reauthorizing STB for the first time since the agency's creation. Prior to reauthorization, STB was decisionally independent, but administratively housed within DOT.\1\ The STB Reauthorization Act established STB as an independent agency outside of DOT. As a stand-alone agency, STB became responsible for its administrative functions, including maintaining its own information security program. --------------------------------------------------------------------------- \1\Section 9 of the STB Reauthorization Act authorized the DOT OIG to review financial management, property management, and business operations of STB. --------------------------------------------------------------------------- The Federal Information Security Management Act of 2002 (FISMA) (P.L. 107-347), as amended by the Federal Information Security Modernization Act of 2014 (P.L. 113-283), requires agencies to implement information security programs. FISMA also requires agencies to have an annual independent evaluation performed to determine the effectiveness of their programs and to report the results of these reviews to the Office of Management and Budget. Agencies that do not have inspectors general, such as STB, must use an external independent auditor to evaluate their information security programs. To perform its 2017 FISMA evaluation, STB entered into a memorandum of understanding with DOT OIG. Pursuant to this agreement, DOT OIG conducted an independent evaluation of STB's information security programs and, on October 26, 2017, released its findings in a report entitled, ``The Surface Transportation Board's Information Security Program Is Not Effective.''\2\ The report, which concluded that STB's information security program is ineffective, included 14 recommendations to assist STB in developing an effective information security program. On November 21, 2017, STB submitted to DOT OIG a letter outlining the agency's proposed completion dates for each of the 14 DOT OIG recommendations, indicating that all recommendations should be implemented by December 31, 2018. --------------------------------------------------------------------------- \2\Department of Transportation Office of Inspector General. The Surface Transportation Board's Information Security Program Is Not Effective. Report No. FI2018002. October 26, 2017. (https:// www.oig.dot.gov/library-item/36067) --------------------------------------------------------------------------- The STB Information Security Improvement Act would require STB to develop a timeline and plan for implementing the DOT OIG recommendations. The bill also would require STB to submit, within 180 days of enactment, its timeline and plan to the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Transportation and Infrastructure of the House of Representatives. Finally, the bill would require STB to submit annual updates on its progress until it has fully implemented DOT OIG's recommendations. Summary of Provisions If enacted, S. 2844 would do the following:Direct STB to develop a timeline and plan to implement the recommendations of DOT OIG's report number FI2018002 in order to improve the agency's information security. Require STB to submit its timeline and plan for implementing the DOT OIG recommendations to the relevant congressional committees. Require STB to submit annual updates on its implementation progress until it has fully implemented the DOT OIG recommendations. Legislative History S. 2844 was introduced on May 15, 2018, by Senator Thune and was referred to the Committee on Commerce, Science, and Transportation of the Senate. On May 22, 2018, the Committee met in open Executive Session and, by voice vote, ordered S. 2844 reported favorably without amendment. Estimated Costs In accordance with paragraph 11(a) of rule XXVI of the Standing Rules of the Senate and section 403 of the Congressional Budget Act of 1974, the Committee provides the following cost estimate, prepared by the Congressional Budget Office: S. 2844--STB Information Security Improvement Act S. 2844 would require the Surface Transportation Board (STB) to develop a plan to comply with recommendations made by the Department of Transportation's inspector general regarding its information security system. The bill would require the STB to report annually to the Congress on the status of its compliance with the inspector general's report. Under current law, CBO expects that the STB will implement the inspector general's recommendations regarding its information security system. The agency has already hired an employee to manage and implement the plan. As a result, CBO estimates that implementing the provisions of S. 2844 would have no significant effect on the federal budget over the 2019- 2023 period. Enacting S. 2844 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting S. 2844 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. S. 2844 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. On March 20, 2018, CBO transmitted a cost estimate for H.R. 4921, the STB Information Security Improvement Act, as ordered reported by the House Committee on Transportation and Infrastructure on February 14, 2018. The two pieces of legislation are similar and CBO's estimate of their budgetary effects are the same. The CBO staff contact for this estimate is Sarah Puro. The estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. Regulatory Impact Statement In accordance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee provides the following evaluation of the regulatory impact of the legislation, as reported: NUMBER OF PERSONS COVERED S. 2844, as reported, does not create any new programs or impose any new regulatory requirements and therefore would not subject any individuals or businesses to new regulations. ECONOMIC IMPACT S. 2844, as reported, is not expected to have a negative impact on the Nation's economy. PRIVACY S. 2844, as reported, is not expected to have an adverse impact on the personal privacy of individuals. Section 2 would require STB to implement recommendations of the DOT OIG to improve its information security program to provide additional protection for information managed by the agency. This should further ensure the privacy of data and records controlled and maintained by STB. PAPERWORK S. 2844, as reported, would only incrementally affect paperwork requirements for STB. Section 2 would require STB to develop a timeline and plan for improving its information security program and to submit such information to Congress. STB further would be required to report annually on its implementation progress until the DOT OIG recommendations are implemented. This reporting requirement is expected to result in only a minimal increase in paperwork for STB until the date of full implementation of the recommendations. Congressionally Directed Spending In compliance with paragraph 4(b) of rule XLIV of the Standing Rules of the Senate, the Committee provides that no provisions contained in the bill, as reported, meet the definition of congressionally directed spending items under the rule. Section-by-Section Analysis Section 1. Short title This section would provide that the bill may be cited as the ``STB Information Security Improvement Act.'' Section 2. Requirements This section would require STB to develop a timeline and plan to implement the recommendations of the DOT OIG report number FI2018002, which would include improvements to identify, protect, recover, and respond to controls for information security. STB also would be required to submit its implementation plan to Congress and to report annually on its progress in implementing the plan until all DOT OIG recommendations are closed. Section 3. No additional funds authorized This section would provide that no additional funds are necessary to carry out the requirements of the bill. Changes in Existing Law In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the Committee states that the bill as reported would make no change to existing law. [all]