[Senate Report 115-322]
[From the U.S. Government Publishing Office]


                                                       Calendar No. 556
115th Congress       }                          {              Report
                                 SENATE
 2d Session          }                          {              115-322
_______________________________________________________________________

                                                                    

                                     
                                   

                STB INFORMATION SECURITY IMPROVEMENT ACT

                               __________

                              R E P O R T

                                 of the

           COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                                   on

                                S. 2844
                                
                                
                                
                                
                                



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







                August 16, 2018.--Ordered to be printed
                
                                  ______

                      U.S. GOVERNMENT PUBLISHING OFFICE 

79-010                        WASHINGTON : 2018
              
                
                
                
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
                     one hundred fifteenth congress
                             second session

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas                  BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska                 EDWARD J. MARKEY, Massachusetts
DEAN HELLER, Nevada                  TOM UDALL, New Mexico
JAMES M. INHOFE, Oklahoma            GARY C. PETERS, Michigan
MIKE LEE, Utah                       TAMMY BALDWIN, Wisconsin
RON JOHNSON, Wisconsin               TAMMY DUCKWORTH, Illinois
SHELLEY MOORE CAPITO, West Virginia  MARGARETWOODHASSAN,NewHampshire
CORY GARDNER, Colorado               CATHERINE CORTEZ MASTO, Nevada
TODD C. YOUNG, Indiana               JON TESTER, Montana
                       Nick Rossi, Staff Director
                 Adrian Arnakis, Deputy Staff Director
                    Jason Van Beek, General Counsel
                 Kim Lipsky, Democratic Staff Director
           Christopher Day, Democratic Deputy Staff Director
           
           
           
           
           
           
                                                       Calendar No. 556
115th Congress      }                         {               Report
                                 SENATE
 2d Session         }                         {               115-322

======================================================================



 
                STB INFORMATION SECURITY IMPROVEMENT ACT

                                _______
                                

                August 16, 2018.--Ordered to be printed

                                _______
                                

Mr. Thune, from the Committee on Commerce, Science, and Transportation, 
                        submitted the following

                              R E P O R T

                         [To accompany S. 2844]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Commerce, Science, and Transportation, to 
which was referred the bill (S. 2844) to require the Surface 
Transportation Board to implement certain recommendations of 
the Inspector General of the Department of Transportation, 
having considered the same, reports favorably thereon without 
amendment and recommends that the bill do pass.

                          Purpose of the Bill

    The purpose of S. 2844 is to improve the information 
security program of the Surface Transportation Board (STB) by 
requiring it to develop a timeline and plan to implement 
information security recommendations from the Department of 
Transportation Office of Inspector General (DOT OIG).

                          Background and Needs

    As the Federal agency charged with economic oversight of 
the Nation's freight rail system, STB is a five-member, 
bipartisan agency that has regulatory jurisdiction over 
railroad rate reasonableness, mergers, line acquisitions, new 
rail-line construction, abandonments of existing rail lines, 
and the conversion of rail rights-of-way into hiking and biking 
trails.
    In 2015, Congress passed the STB Reauthorization Act (P.L. 
114-110), reauthorizing STB for the first time since the 
agency's creation. Prior to reauthorization, STB was 
decisionally independent, but administratively housed within 
DOT.\1\ The STB Reauthorization Act established STB as an 
independent agency outside of DOT. As a stand-alone agency, STB 
became responsible for its administrative functions, including 
maintaining its own information security program.
---------------------------------------------------------------------------
    \1\Section 9 of the STB Reauthorization Act authorized the DOT OIG 
to review financial management, property management, and business 
operations of STB.
---------------------------------------------------------------------------
    The Federal Information Security Management Act of 2002 
(FISMA) (P.L. 107-347), as amended by the Federal Information 
Security Modernization Act of 2014 (P.L. 113-283), requires 
agencies to implement information security programs. FISMA also 
requires agencies to have an annual independent evaluation 
performed to determine the effectiveness of their programs and 
to report the results of these reviews to the Office of 
Management and Budget. Agencies that do not have inspectors 
general, such as STB, must use an external independent auditor 
to evaluate their information security programs. To perform its 
2017 FISMA evaluation, STB entered into a memorandum of 
understanding with DOT OIG.
    Pursuant to this agreement, DOT OIG conducted an 
independent evaluation of STB's information security programs 
and, on October 26, 2017, released its findings in a report 
entitled, ``The Surface Transportation Board's Information 
Security Program Is Not Effective.''\2\ The report, which 
concluded that STB's information security program is 
ineffective, included 14 recommendations to assist STB in 
developing an effective information security program. On 
November 21, 2017, STB submitted to DOT OIG a letter outlining 
the agency's proposed completion dates for each of the 14 DOT 
OIG recommendations, indicating that all recommendations should 
be implemented by December 31, 2018.
---------------------------------------------------------------------------
    \2\Department of Transportation Office of Inspector General. The 
Surface Transportation Board's Information Security Program Is Not 
Effective. Report No. FI2018002. October 26, 2017. (https://
www.oig.dot.gov/library-item/36067)
---------------------------------------------------------------------------
    The STB Information Security Improvement Act would require 
STB to develop a timeline and plan for implementing the DOT OIG 
recommendations. The bill also would require STB to submit, 
within 180 days of enactment, its timeline and plan to the 
Committee on Commerce, Science, and Transportation of the 
Senate and the Committee on Transportation and Infrastructure 
of the House of Representatives. Finally, the bill would 
require STB to submit annual updates on its progress until it 
has fully implemented DOT OIG's recommendations.

                         Summary of Provisions

    If enacted, S. 2844 would do the following:
     Direct STB to develop a timeline and plan to 
implement the recommendations of DOT OIG's report number 
FI2018002 in order to improve the agency's information 
security.
     Require STB to submit its timeline and plan for 
implementing the DOT OIG recommendations to the relevant 
congressional committees.
     Require STB to submit annual updates on its 
implementation progress until it has fully implemented the DOT 
OIG recommendations.

                          Legislative History

    S. 2844 was introduced on May 15, 2018, by Senator Thune 
and was referred to the Committee on Commerce, Science, and 
Transportation of the Senate. On May 22, 2018, the Committee 
met in open Executive Session and, by voice vote, ordered S. 
2844 reported favorably without amendment.

                            Estimated Costs

    In accordance with paragraph 11(a) of rule XXVI of the 
Standing Rules of the Senate and section 403 of the 
Congressional Budget Act of 1974, the Committee provides the 
following cost estimate, prepared by the Congressional Budget 
Office:

S. 2844--STB Information Security Improvement Act

    S. 2844 would require the Surface Transportation Board 
(STB) to develop a plan to comply with recommendations made by 
the Department of Transportation's inspector general regarding 
its information security system. The bill would require the STB 
to report annually to the Congress on the status of its 
compliance with the inspector general's report.
    Under current law, CBO expects that the STB will implement 
the inspector general's recommendations regarding its 
information security system. The agency has already hired an 
employee to manage and implement the plan. As a result, CBO 
estimates that implementing the provisions of S. 2844 would 
have no significant effect on the federal budget over the 2019-
2023 period.
    Enacting S. 2844 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting S. 2844 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    S. 2844 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    On March 20, 2018, CBO transmitted a cost estimate for H.R. 
4921, the STB Information Security Improvement Act, as ordered 
reported by the House Committee on Transportation and 
Infrastructure on February 14, 2018. The two pieces of 
legislation are similar and CBO's estimate of their budgetary 
effects are the same.
    The CBO staff contact for this estimate is Sarah Puro. The 
estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant 
Director for Budget Analysis.

                      Regulatory Impact Statement

    In accordance with paragraph 11(b) of rule XXVI of the 
Standing Rules of the Senate, the Committee provides the 
following evaluation of the regulatory impact of the 
legislation, as reported:

                       NUMBER OF PERSONS COVERED

    S. 2844, as reported, does not create any new programs or 
impose any new regulatory requirements and therefore would not 
subject any individuals or businesses to new regulations.

                            ECONOMIC IMPACT

    S. 2844, as reported, is not expected to have a negative 
impact on the Nation's economy.

                                PRIVACY

    S. 2844, as reported, is not expected to have an adverse 
impact on the personal privacy of individuals. Section 2 would 
require STB to implement recommendations of the DOT OIG to 
improve its information security program to provide additional 
protection for information managed by the agency. This should 
further ensure the privacy of data and records controlled and 
maintained by STB.

                               PAPERWORK

    S. 2844, as reported, would only incrementally affect 
paperwork requirements for STB. Section 2 would require STB to 
develop a timeline and plan for improving its information 
security program and to submit such information to Congress. 
STB further would be required to report annually on its 
implementation progress until the DOT OIG recommendations are 
implemented. This reporting requirement is expected to result 
in only a minimal increase in paperwork for STB until the date 
of full implementation of the recommendations.

                   Congressionally Directed Spending

    In compliance with paragraph 4(b) of rule XLIV of the 
Standing Rules of the Senate, the Committee provides that no 
provisions contained in the bill, as reported, meet the 
definition of congressionally directed spending items under the 
rule.

                      Section-by-Section Analysis


Section 1. Short title

    This section would provide that the bill may be cited as 
the ``STB Information Security Improvement Act.''

Section 2. Requirements

    This section would require STB to develop a timeline and 
plan to implement the recommendations of the DOT OIG report 
number FI2018002, which would include improvements to identify, 
protect, recover, and respond to controls for information 
security. STB also would be required to submit its 
implementation plan to Congress and to report annually on its 
progress in implementing the plan until all DOT OIG 
recommendations are closed.

Section 3. No additional funds authorized

    This section would provide that no additional funds are 
necessary to carry out the requirements of the bill.

                        Changes in Existing Law

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, the Committee states that the 
bill as reported would make no change to existing law.

                                 [all]