Safe and Secure Federal Websites Act of 2014 - (Sec. 2) Prohibits a federal agency from deploying or making available to the public a new federal personally identifiable information website (new Federal PII Website) until the chief information officer of the agency submits a certification to Congress that the website is fully functional and secure, as those terms are defined by this Act. Defines "new Federal PII website" as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains personally identifiable information (i.e., information that can be used to identify an individual, such as a social security number, a date and place of birth, a mother's maiden name, biometric records, or other information linked to an individual); and (3) is first made accessible to the public and collects or stores personally identifiable information on or after October 1, 2012.
Exempts beta websites designed for testing and development if users execute an agreement acknowledging the risks involved.
(Sec. 3) Directs the Director of the Office of Management and Budget (OMB) to establish and oversee policies and procedures for federal agencies to follow in the event of a breach of information security involving the disclosure of personally identifiable information, including: (1) notice, not later than 72 hours after discovery of a breach or possible breach, to individuals whose personally identifiable information could be compromised as a result of such breach; (2) timely reporting to a federal cyber security center designated by this Act; and (3) any additional actions that the Director finds necessary and appropriate.
Requires: (1) agency heads to ensure that agency actions taken in response to a breach comply with OMB policies and procedures established by this Act; and (2) the OMB Director to report to Congress, not later than March 1 of each year, on agency compliance with such policies and procedures.
[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3635 Introduced in House (IH)]
113th CONGRESS
1st Session
H. R. 3635
To ensure the functionality and security of new Federal websites that
collect personally identifiable information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
December 3, 2013
Mr. Bentivolio introduced the following bill; which was referred to the
Committee on Oversight and Government Reform
_______________________________________________________________________
A BILL
To ensure the functionality and security of new Federal websites that
collect personally identifiable information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Safe and Secure Federal Websites Act
of 2013''.
SEC. 2. ENSURING FUNCTIONALITY AND SECURITY OF NEW FEDERAL WEBSITES
THAT COLLECT PERSONALLY IDENTIFIABLE INFORMATION.
(a) Certification Requirement.--
(1) In general.--Except as otherwise provided under this
subsection, an agency may not deploy or make available to the
public a new Federal PII website until the date on which a
certification under subsection (b)(2) is submitted to Congress
that the website is fully functional and secure.
(2) Transition.--In the case of a new Federal PII website
that is operational on the date of the enactment of this Act,
paragraph (1) shall not apply until the end of the 30-day
period beginning on such date of enactment. If the
certification under subsection (b)(2) for such website has not
been submitted to Congress before the end of such period, the
head of the responsible agency shall render the website
inaccessible to the public until such certification is
submitted to Congress.
(3) Exception for beta website with explicit permission.--
Paragraph (1) shall not apply to a website (or portion thereof)
that is designed for testing and development purposes, if the
following conditions are met:
(A) A member of the public may access PII-related
portions of the website only after executing an
agreement that acknowledges the risks involved.
(B) No agency compelled, enjoined, or otherwise
provided incentives for such a member to access the
website for such purposes.
(4) Construction.--Nothing in this section shall be
construed as applying to a website that is operated entirely by
an entity (such as a State or locality) that is independent of
the Federal Government, regardless of the receipt of funding in
support of such website from the Federal Government.
(b) Process for Study and Certification of Functionality and
Security of New Federal PII Websites.--
(1) GAO study and report.--
(A) Study.--
(i) Current websites.--Not later than 30
days after the date of the enactment of this
Act, the Comptroller General of the United
States shall conduct a study of each new
Federal PII website that is operational as of
such date of enactment to determine whether
such website is fully functional and secure.
(ii) Future websites.--Not later than 30
days after the date on which an advance
notification is received under paragraph (3)
for a new Federal PII website that is not
operational as of such date of enactment, the
Comptroller General shall conduct a study of
such website to determine whether such website
is fully functional and secure.
(B) Report to appropriate congressional
committees.--Upon the completion of a study of a
website under subparagraph (A) or (C), the Comptroller
General shall submit to the appropriate committees of
Congress and the Chief Information Officer for the
responsible agency a report on the results of the
study. Such report shall include a determination of
whether the website is fully functional and secure.
(C) Followup studies and report.--If, based on the
results of the most recent study under subparagraph (A)
or this subparagraph, the Comptroller General
determines that the website is not fully functional or
not secure, the Comptroller General shall conduct an
additional study (and submit a report described in
subparagraph (B) on the results of such study) until
the Comptroller General determines that the website is
determined to be fully functional and secure.
(2) Certification by cio of responsible agency.--Upon the
submission of a report under paragraph (1) that determines that
a website operated by a responsible agency is fully functional
and secure, the Chief Information Officer for such agency shall
submit to Congress a certification of the results of such
report and a certification as to whether the website is fully
functional and secure.
(3) Advance notification for operation of future
websites.--Each agency that intends to operate a new Federal
PII website on or after the date of the enactment of this Act
shall notify the Comptroller General of such intention and
provide to the Comptroller General, in advance of the website
becoming operational, such information as the Comptroller
General may require to conduct a study and perform an
evaluation under this subsection.
(c) Definitions.--In this section:
(1) Agency.--The term ``agency'' has the meaning given that
term under section 551 of title 5, United States Code.
(2) Fully functional.--The term ``fully functional'' means,
with respect to a new Federal PII website, that the website can
fully support the activities for which it is designed or
intended with regard to the eliciting, collection, or storage
of personally identifiable information, including handling a
volume of queries relating to such information commensurate
with the purpose for which the website is designed.
(3) New federal pii website.--The term ``new Federal PII
website'' means a website that--
(A) is operated by (or under a contract with) an
agency;
(B) elicits, collects, or stores personally
identifiable information of individuals and is
accessible to the public; and
(C) is first made accessible to the public and
collects or stores personally identifiable information
of individuals, on or after July 1, 2013.
(4) Operational.--The term ``operational'' means, with
respect to a website, that such website elicits, collects, or
stores personally identifiable information of members of the
public and is accessible to the public.
(5) Personally identifiable information (pii).--The terms
``personally identifiable information'' and ``PII'' mean any
information that can be associated with one individual through
a social security account number, taxpayer identification
number, state identification number or other identifer, but
does not include information (such as name, mailing or email
address, telephone number, or similar contact information)
necessary to contact an individual.
(6) Responsible agency.--The term ``responsible agency''
means, with respect to a new Federal PII website, the agency
that is responsible for the operation (whether directly or
through contracts with other entities) of the website.
(7) Secure.--The term ``secure'' means, with respect to a
new Federal PII website, that the following requirements are
met:
(A) The website has security features that meet a
standard acceptable for banking purposes and the
responsible agency has a named overall security leader
with a comprehensive, top-down view of the security
posture for the website who has supervised a complete
end-to-end security test.
(B) The website ensures that personally
identifiable information elicited, collected, or stored
in connection with the website is captured at the
latest possible step in a user input sequence.
(C) The responsible agency for the website has
taken reasonable efforts to minimize domain name
confusion, including through additional domain
registrations and a program to educate consumers how to
spot fraudulent websites.
(D) The responsible agency requires all personnel
who have access to personally identifiable information
in connection with the website to have completed a
Standard Form 85P and signed a non-disclosure agreement
with respect to personally identifiable information,
and the agency takes proper precautions to ensure only
trustworthy persons may access such information.
(E) The responsible agency maintains (either
directly or through contract) ample personnel to
respond in a timely manner to issues relating to the
proper functioning and security of the website, and to
monitor on an ongoing basis existing and emerging
security threats to the website.
(8) State.--The term ``State'' means each State of the
United States, the District of Columbia, each territory or
possession of the United States, and each federally recognized
Indian tribe.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Oversight and Government Reform.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported in the Nature of a Substitute (Amended) by Voice Vote.
Reported (Amended) by the Committee on Oversight and Government Reform. H. Rept. 113-562.
Reported (Amended) by the Committee on Oversight and Government Reform. H. Rept. 113-562.
Placed on the Union Calendar, Calendar No. 421.
Mr. Bentivolio moved to suspend the rules and pass the bill, as amended.
Considered under suspension of the rules. (consideration: CR H6935-6936)
DEBATE - The House proceeded with forty minutes of debate on H.R. 3635.
Passed/agreed to in House: On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote.(text: CR H6935-6936)
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line
On motion to suspend the rules and pass the bill, as amended Agreed to by voice vote. (text: CR H6935-6936)
Motion to reconsider laid on the table Agreed to without objection.
Received in the Senate and Read twice and referred to the Committee on Homeland Security and Governmental Affairs.