Requires each agency to annually undergo an independent evaluation of its information security program and practices. Requires related reports.
Requires the: (1) Department of Commerce to develop, issue, review, and update standards and guidance for the security of information in Federal computer systems; (2) Department of Defense (DOD) and the Central Intelligence Agency (CIA) to develop and issue information security policies for mission critical systems of such entities and ensure the implementation of such policies; (3) Department of Justice to review and update guidance to agencies on legal remedies regarding security incidents and coordination with law enforcement agencies concerning such incidents; (4) General Services Administration to review and update guidance on addressing security considerations relating to the acquisition of information technology; and (5) Office of Personnel Management to review and update regulations concerning computer security training for Federal civilian employees.
Allows mission critical information security policies developed by DOD and the CIA to be adopted by the OMB Director and heads of other Federal agencies with respect to mission critical systems of such agencies. Allows agencies to develop and implement more stringent information security policies than those required under this Act.
[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 1993 Introduced in Senate (IS)]
106th CONGRESS
1st Session
S. 1993
To reform Government information security by strengthening information
security practices throughout the Federal Government.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
November 19, 1999
Mr. Thompson (for himself and Mr. Lieberman) introduced the following
bill; which was read twice and referred to the Committee on
Governmental Affairs
_______________________________________________________________________
A BILL
To reform Government information security by strengthening information
security practices throughout the Federal Government.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Government Information Security Act
of 1999''.
SEC. 2. COORDINATION OF FEDERAL INFORMATION POLICY.
Chapter 35 of title 44, United States Code, is amended by inserting
at the end the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec. 3531. Purposes
``The purposes of this subchapter are to--
``(1) provide a comprehensive framework for establishing
and ensuring the effectiveness of controls over information
resources that support Federal operations and assets;
``(2)(A) recognize the highly networked nature of the
Federal computing environment including the need for Federal
Government interoperability and, in the implementation of
improved security management measures, assure that
opportunities for interoperability are not adversely affected;
and
``(B) provide effective governmentwide management and
oversight of the related information security risks, including
coordination of information security efforts throughout the
civilian, national security, and law enforcement communities;
``(3) provide for development and maintenance of minimum
controls required to protect Federal information and
information systems; and
``(4) provide a mechanism for improved oversight of Federal
agency information security programs.
``Sec. 3532. Definitions
``(a) Except as provided under subsection (b), the definitions
under section 3502 shall apply to this subchapter.
``(b) As used in this subchapter the term `information technology'
has the meaning given that term in section 5002 of the Clinger-Cohen
Act of 1996 (40 U.S.C. 1401).
``Sec. 3533. Authority and functions of the Director
``(a)(1) Consistent with subchapter I, the Director shall establish
governmentwide policies for the management of programs that support the
cost-effective security of Federal information systems by promoting
security as an integral component of each agency's business operations.
``(2) Policies under this subsection shall--
``(A) be founded on a continuing risk management cycle that
recognizes the need to--
``(i) identify, assess, and understand risk; and
``(ii) determine security needs commensurate with
the level of risk;
``(B) implement controls that adequately address the risk;
``(C) promote continuing awareness of information security
risk;
``(D) continually monitor and evaluate policy; and
``(E) control effectiveness of information security
practices.
``(b) The authority under subsection (a) includes the authority
to--
``(1) oversee and develop policies, principles, standards,
and guidelines for the handling of Federal information and
information resources to improve the efficiency and
effectiveness of governmental operations, including principles,
policies, and guidelines for the implementation of agency
responsibilities under applicable law for ensuring the privacy,
confidentiality, and security of Federal information;
``(2) consistent with the standards and guidelines
promulgated under section 5131 of the Clinger-Cohen Act of 1996
(40 U.S.C. 1441) and sections 5 and 6 of the Computer Security
Act of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101 Stat.
1729), require Federal agencies to identify and afford security
protections commensurate with the risk and magnitude of the
harm resulting from the loss, misuse, or unauthorized access to
or modification of information collected or maintained by or on
behalf of an agency;
``(3) direct the heads of agencies to coordinate such
agencies and coordinate with industry to--
``(A) identify, use, and share best security
practices; and
``(B) develop voluntary consensus-based standards
for security controls, in a manner consistent with
section 2(b)(13) of the National Institute of Standards
and Technology Act (15 U.S.C. 272(b)(13));
``(4) oversee the development and implementation of
standards and guidelines relating to security controls for
Federal computer systems by the Secretary of Commerce through
the National Institute of Standards and Technology under
section 5131 of the Clinger-Cohen Act of 1996 (40 U.S.C. 1441)
and section 20 of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3);
``(5) oversee and coordinate compliance with this section
in a manner consistent with--
``(A) sections 552 and 552a of title 5;
``(B) sections 20 and 21 of the National Institute
of Standards and Technology Act (15 U.S.C. 278g-3 and
278g-4);
``(C) section 5131 of the Clinger-Cohen Act of 1996
(40 U.S.C. 1441);
``(D) sections 5 and 6 of the Computer Security Act
of 1987 (40 U.S.C. 759 note; Public Law 100-235; 101
Stat. 1729); and
``(E) related information management laws; and
``(6) take any authorized action that the Director
considers appropriate, including any action involving the
budgetary process or appropriations management process, to
enforce accountability of the head of an agency for information
resources management and for the investments made by the agency
in information technology, including--
``(A) recommending a reduction or an increase in
any amount for information resources that the head of
the agency proposes for the budget submitted to
Congress under section 1105(a) of title 31;
``(B) reducing or otherwise adjusting
apportionments and reapportionments of appropriations
for information resources; and
``(C) using other authorized administrative
controls over appropriations to restrict the
availability of funds for information resources.
``(c) The authority under this section may be delegated only to the
Deputy Director for Management of the Office of Management and Budget.
``Sec. 3534. Federal agency responsibilities
``(a) The head of each agency shall--
``(1) be responsible for--
``(A) adequately protecting the integrity,
confidentiality, and availability of information and
information systems supporting agency operations and
assets; and
``(B) developing and implementing information
security policies, procedures, and control techniques
sufficient to afford security protections commensurate
with the risk and magnitude of the harm resulting from
unauthorized disclosure, disruption, modification, or
destruction of information collected or maintained by
or for the agency;
``(2) ensure that each senior program manager is
responsible for--
``(A) assessing the information security risk
associated with the operations and assets of such
manager;
``(B) determining the levels of information
security appropriate to protect the operations and
assets of such manager; and
``(C) periodically testing and evaluating
information security controls and techniques;
``(3) delegate to the agency Chief Information Officer
established under section 3506, or a comparable official in an
agency not covered by such section, the authority to administer
all functions under this subchapter including--
``(A) designating a senior agency information
security officer;
``(B) developing and maintaining an agencywide
information security program as required under
subsection (b);
``(C) ensuring that the agency effectively
implements and maintains information security policies,
procedures, and control techniques;
``(D) training and overseeing personnel with
significant responsibilities for information security
with respect to such responsibilities; and
``(E) assisting senior program managers concerning
responsibilities under paragraph (2);
``(4) ensure that the agency has trained personnel
sufficient to assist the agency in complying with the
requirements of this subchapter and related policies,
procedures, standards, and guidelines; and
``(5) ensure that the agency Chief Information Officer, in
coordination with senior program managers, periodically--
``(A)(i) evaluates the effectiveness of the agency
information security program, including testing control
techniques; and
``(ii) implements appropriate remedial actions
based on that evaluation; and
``(B) reports to the agency head on--
``(i) the results of such tests and
evaluations; and
``(ii) the progress of remedial actions.
``(b)(1) Each agency shall develop and implement an agencywide
information security program to provide information security for the
operations and assets of the agency, including information security
provided or managed by another agency.
``(2) Each program under this subsection shall include--
``(A) periodic assessments of information security risks
that consider internal and external threats to--
``(i) the integrity, confidentiality, and
availability of systems; and
``(ii) data supporting critical operations and
assets;
``(B) policies and procedures that--
``(i) are based on the risk assessments required
under paragraph (1) that cost-effectively reduce
information security risks to an acceptable level; and
``(ii) ensure compliance with--
``(I) the requirements of this subchapter;
``(II) policies and procedures as may be
prescribed by the Director; and
``(III) any other applicable requirements;
``(C) security awareness training to inform personnel of--
``(i) information security risks associated with
personnel activities; and
``(ii) responsibilities of personnel in complying
with agency policies and procedures designed to reduce
such risks;
``(D)(i) periodic management testing and evaluation of the
effectiveness of information security policies and procedures;
and
``(ii) a process for ensuring remedial action to address
any deficiencies; and
``(E) procedures for detecting, reporting, and responding
to security incidents, including--
``(i) mitigating risks associated with such
incidents before substantial damage occurs;
``(ii) notifying and consulting with law
enforcement officials and other offices and
authorities; and
``(iii) notifying and consulting with an office
designated by the Administrator of General Services
within the General Services Administration.
``(3) Each program under this subsection is subject to the approval
of the Director and is required to be reviewed at least annually by
agency program officials in consultation with the Chief Information
Officer.
``(c)(1) Each agency shall examine the adequacy and effectiveness
of information security policies, procedures, and practices in plans
and reports relating to--
``(A) annual agency budgets;
``(B) information resources management under the Paperwork
Reduction Act of 1995 (44 U.S.C. 101 note);
``(C) program performance under sections 1105 and 1115
through 1119 of title 31, and sections 2801 through 2805 of
title 39; and
``(D) financial management under--
``(i) chapter 9 of title 31, United States Code,
and the Chief Financial Officers Act of 1990 (31 U.S.C.
501 note; Public Law 101-576) (and the amendments made
by that Act);
``(ii) the Federal Financial Management Improvement
Act of 1996 (31 U.S.C. 3512 note) (and the amendments
made by that Act); and
``(iii) the internal controls conducted under
section 3512 of title 31.
``(2) Any deficiency in a policy, procedure, or practice identified
under paragraph (1) shall be reported as a material weakness in
reporting required under the applicable provision of law under
paragraph (1).
``Sec. 3535. Annual independent evaluation
``(a)(1) Each year each agency shall have an independent evaluation
performed of the information security program and practices of that
agency.
``(2) Each evaluation under this section shall include--
``(A) an assessment of compliance with--
``(i) the requirements of this subchapter; and
``(ii) related information security policies,
procedures, standards, and guidelines; and
``(B) tests of the effectiveness of information security
control techniques.
``(b)(1) For agencies with Inspectors General appointed under the
Inspector General Act of 1978 (5 U.S.C. App.), annual evaluations
required under this section shall be performed by the Inspector General
or by an independent external auditor, as determined by the Inspector
General of the agency.
``(2) For any agency to which paragraph (1) does not apply, the
head of the agency shall contract with an independent external auditor
to perform the evaluation.
``(3) An evaluation of agency information security programs and
practices performed by the Comptroller General may be in lieu of the
evaluation required under this section.
``(c) Not later than March 1, 2001, and every March 1 thereafter,
the results of an evaluation required under this section shall be
submitted to the Director.
``(d) Each year the Comptroller General shall--
``(1) review the evaluations required under this section
and other information security evaluation results; and
``(2) report to Congress regarding the adequacy of agency
information programs and practices.
``(e) Agencies and auditors shall take appropriate actions to
ensure the protection of information, the disclosure of which may
adversely affect information security. Such protections shall be
commensurate with the risk and comply with all applicable laws.''.
SEC. 3. RESPONSIBILITIES OF CERTAIN AGENCIES.
(a) Department of Commerce.--The Secretary of Commerce, through the
National Institute of Standards and Technology and with technical
assistance from the National Security Agency, shall--
(1) develop, issue, review, and update standards and
guidance for the security of information in Federal computer
systems, including development of methods and techniques for
security systems and validation programs;
(2) develop, issue, review, and update guidelines for
training in computer security awareness and accepted computer
security practices, with assistance from the Office of
Personnel Management;
(3) provide agencies with guidance for security planning to
assist in the development of applications and system security
plans for such agencies;
(4) provide guidance and assistance to agencies concerning
cost-effective controls when interconnecting with other
systems; and
(5) evaluate information technologies to assess security
vulnerabilities and alert Federal agencies of such
vulnerabilities.
(b) Department of Justice.--The Department of Justice shall review
and update guidance to agencies on--
(1) legal remedies regarding security incidents and ways to
report to and work with law enforcement agencies concerning
such incidents; and
(2) permitted uses of security techniques and technologies.
(c) General Services Administration.--The General Services
Administration shall--
(1) review and update General Services Administration
guidance to agencies on addressing security considerations when
acquiring information technology; and
(2) assist agencies in the acquisition of cost-effective
security products, services, and incident response
capabilities.
(d) Office of Personnel Management.--The Office of Personnel
Management shall--
(1) review and update Office of Personnel Management
regulations concerning computer security training for Federal
civilian employees; and
(2) assist the Department of Commerce in updating and
maintaining guidelines for training in computer security
awareness and computer security best practices.
SEC. 4. TECHNICAL AND CONFORMING AMENDMENTS.
(a) In General.--Chapter 35 of title 44, United States Code, is
amended--
(1) in the table of sections--
(A) by inserting after the chapter heading the
following:
``SUBCHAPTER I--FEDERAL INFORMATION POLICY'';
and
(B) by inserting after the item relating to section
3520 the following:
``SUBCHAPTER II--INFORMATION SECURITY
``Sec.
``3531. Purposes.
``3532. Definitions.
``3533. Authority and functions of the Director.
``3534. Federal agency responsibilities.
``3535. Annual independent evaluation.'';
and
(2) by inserting before section 3501 the following:
``SUBCHAPTER I--FEDERAL INFORMATION POLICY''.
(b) References to Chapter 35.--Chapter 35 of title 44, United
States Code, is amended--
(1) in section 3501--
(A) in the matter preceding paragraph (1), by
striking ``chapter'' and inserting ``subchapter''; and
(B) in paragraph (11), by striking ``chapter'' and
inserting ``subchapter'';
(2) in section 3502, in the matter preceding paragraph (1),
by striking ``chapter'' and inserting ``subchapter'';
(3) in section 3503, in subsection (b), by striking
``chapter'' and inserting ``subchapter'';
(4) in section 3504--
(A) in subsection (a)(2), by striking ``chapter''
and inserting ``subchapter'';
(B) in subsection (d)(2), by striking ``chapter''
and inserting ``subchapter''; and
(C) in subsection (f)(1), by striking ``chapter''
and inserting ``subchapter'';
(5) in section 3505--
(A) in subsection (a), in the matter preceding
paragraph (1), by striking ``chapter'' and inserting
``subchapter'';
(B) in subsection (a)(2), by striking ``chapter''
and inserting ``subchapter''; and
(C) in subsection (a)(3)(B)(iii), by striking
``chapter'' and inserting ``subchapter'';
(6) in section 3506--
(A) in subsection (a)(1)(B), by striking
``chapter'' and inserting ``subchapter'';
(B) in subsection (a)(2)(A), by striking
``chapter'' and inserting ``subchapter'';
(C) in subsection (a)(2)(B), by striking
``chapter'' and inserting ``subchapter'';
(D) in subsection (a)(3)--
(i) in the first sentence, by striking
``chapter'' and inserting ``subchapter''; and
(ii) in the second sentence, by striking
``chapter'' and inserting ``subchapter'';
(E) in subsection (b)(4), by striking ``chapter''
and inserting ``subchapter'';
(F) in subsection (c)(1), by striking ``chapter,
to'' and inserting ``subchapter, to''; and
(G) in subsection (c)(1)(A), by striking
``chapter'' and inserting ``subchapter'';
(7) in section 3507--
(A) in subsection (e)(3)(B), by striking
``chapter'' and inserting ``subchapter'';
(B) in subsection (h)(2)(B), by striking
``chapter'' and inserting ``subchapter'';
(C) in subsection (h)(3), by striking ``chapter''
and inserting ``subchapter'';
(D) in subsection (j)(1)(A)(i), by striking
``chapter'' and inserting ``subchapter'';
(E) in subsection (j)(1)(B), by striking
``chapter'' and inserting ``subchapter''; and
(F) in subsection (j)(2), by striking ``chapter''
and inserting ``subchapter'';
(8) in section 3509, by striking ``chapter'' and inserting
``subchapter'';
(9) in section 3512--
(A) in subsection (a), by striking ``chapter if''
and inserting ``subchapter if''; and
(B) in subsection (a)(1), by striking ``chapter''
and inserting ``subchapter'';
(10) in section 3514--
(A) in subsection (a)(1)(A), by striking
``chapter'' and inserting ``subchapter''; and
(B) in subsection (a)(2)(A)(ii), by striking
``chapter'' and inserting ``subchapter'' each place it
appears;
(11) in section 3515, by striking ``chapter'' and inserting
``subchapter'';
(12) in section 3516, by striking ``chapter'' and inserting
``subchapter'';
(13) in section 3517(b), by striking ``chapter'' and
inserting ``subchapter'';
(14) in section 3518--
(A) in subsection (a), by striking ``chapter'' and
inserting ``subchapter'' each place it appears;
(B) in subsection (b), by striking ``chapter'' and
inserting ``subchapter'';
(C) in subsection (c)(1), by striking ``chapter''
and inserting ``subchapter'';
(D) in subsection (c)(2), by striking ``chapter''
and inserting ``subchapter'';
(E) in subsection (d), by striking ``chapter'' and
inserting ``subchapter''; and
(F) in subsection (e), by striking ``chapter'' and
inserting ``subchapter''; and
(15) in section 3520, by striking ``chapter'' and inserting
``subchapter''.
SEC. 5. EFFECTIVE DATE.
This Act and the amendments made by this Act shall take effect 30
days after the date of enactment of this Act.
<all>
Introduced in Senate
Sponsor introductory remarks on measure. (CR S15108-15109)
Read twice and referred to the Committee on Governmental Affairs.
Committee on Governmental Affairs. Hearings held.
Committee on Governmental Affairs. Ordered to be reported with an amendment in the nature of a substitute favorably.
Committee on Governmental Affairs. Reported to Senate by Senator Thompson with an amendment in the nature of a substitute. With written report No. 259.
Committee on Governmental Affairs. Reported to Senate by Senator Thompson with an amendment in the nature of a substitute. With written report No. 259.
Placed on Senate Legislative Calendar under General Orders. Calendar No. 489.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line