Cybersecurity Responsibility and Accountability Act of 2016
This bill requires the National Institute of Standards and Technology (NIST) to incorporate additional cybersecurity requirements in its computer standards for agency information systems and provide the Office of Management and Budget (OMB) with a process for agencies to implement those standards.
NIST must also: (1) support development of information security training and certification for agency heads, (2) address agency-identified information security challenges and knowledge gaps, (3) assess information security statutory requirements, and (4) develop security standards for national security systems.
The OMB must require the heads of agencies (currently, agencies generally) to: (1) report on the adequacy of their information security procedures, (2) provide for independent evaluations of information security practices, and (3) notify Congress and affected individuals of data breaches. Intelligence community agencies affected by data breaches must notify NIST.
Chief information officers of agencies must collaborate with their agency head to designate chief information security officers (positions with job responsibilities to be developed by the OMB and NIST) to replace their current senior agency information security officers.
Agencies must develop mandatory annual information security training and certification to ensure that agency heads understand federal cybersecurity policy regarding: (1) agency systems, (2) cyber-attacks and data breaches, and (3) not using private email servers or messaging systems for official communications.
Agency heads must certify that their agencies meet information security standards and provide reasons for not meeting any standards.
Agency heads must also develop annual plans to implement information security recommendations of the Government Accountability Office (GAO) and inspectors general. If an agency head fails to implement such a recommendation, the reasons for the failure must be provided to the OMB for approval.
For each OMB-defined "major cybersecurity incident" (e.g., an incident involving classified information) that an agency experiences, the agency head must transmit an inspector general-performed independent evaluation to the OMB, the Department of Homeland Security, NIST, Congress, and the GAO. If the evaluation determines that the incident occurred because the agency head failed to comply sufficiently with NIST certification standards or recommendations of the GAO or agency inspectors general, then the OMB must hold the agency head accountable through an enforcement action, which may include actions under the budgetary or appropriations process, a recommendation for the President to remove or demote the agency head, or actions to ensure that the agency head does not receive cash or pay awards or bonuses for one year.
[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6066 Introduced in House (IH)]
<DOC>
114th CONGRESS
2d Session
H. R. 6066
To enforce Federal cybersecurity responsibility and accountability.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
September 19, 2016
Mr. Abraham (for himself and Mr. Smith of Texas) introduced the
following bill; which was referred to the Committee on Oversight and
Government Reform, and in addition to the Committee on Science, Space,
and Technology, for a period to be subsequently determined by the
Speaker, in each case for consideration of such provisions as fall
within the jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To enforce Federal cybersecurity responsibility and accountability.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cybersecurity Responsibility and
Accountability Act of 2016''.
SEC. 2. DEFINITIONS.
Section 3552 of title 44, United States Code, is amended--
(1) by redesignating paragraphs (6) and (7) as paragraphs
(7) and (8), respectively; and
(2) by inserting after paragraph (5) the following new
paragraph:
``(6) The term `major cybersecurity incident' has the
meaning given the term `major incident' in Office of Management
and Budget Memorandum M-16-03, dated October 30, 2015, or any
successor document.''.
SEC. 3. AUTHORITY AND FUNCTIONS OF THE DIRECTOR OF NIST.
(a) Amendment.--Section 3553 of title 44, United States Code, is
amended--
(1) by redesignating subsections (c) through (j) as
subsections (d) through (k), respectively; and
(2) by inserting after subsection (b) the following new
subsection:
``(c) Director of the National Institute of Standards and
Technology.--The Director of the National Institute of Standards and
Technology shall further develop and update as necessary the standards
and guidelines under section 20 of the National Institute of Standards
and Technology Act (15 U.S.C. 278g-3) to fulfill the additional
objectives and requirements of the Cybersecurity Responsibility and
Accountability Act of 2016. Further, the Director of the National
Institute of Standards and Technology shall--
``(1) provide to the Director of the Office of Management
and Budget a framework and process for agency implementation of
such standards and guidelines;
``(2) provide support to agency heads for the
implementation of such standards and guidelines and their
application to information security policies and principles, as
well as with the development of information security training
and certification for agency heads;
``(3) conduct cybersecurity research--
``(A) to identify and address prevalent information
security challenges, concerns, and knowledge gaps
identified by agencies, including those manifested in
any of the reports, evaluations, assessments, and plans
described in this subchapter that may undermine
agencies' information security policies and practices;
``(B) to assess the sufficiency of the current
statutory requirements of the Federal Information
Security Management Act of 2002 and the Federal
Information Security Modernization Act of 2014, and
their effectiveness in requiring agencies to implement
standards and guidelines developed under section 20 of
the National Institute of Standards and Technology Act
(15 U.S.C. 278g-3) and authorized by the Cybersecurity
Responsibility and Accountability Act of 2016 regarding
information security policies and practices; and
``(C) that shall require the Director of the Office
of Management and Budget, the Secretary of Homeland
Security, and the heads of other Federal agencies to
provide the Director of the National Institute of
Standards and Technology any resources, including
reports, evaluations, assessments, and plans, that may
be required for such research; and
``(4) develop, publish, and update as necessary information
security standards and guidelines for national security systems
based on established standards and guidelines for information
systems.''.
(b) Conforming Amendments.--Subchapter II of chapter 35 of title
44, United States Code, is amended--
(1) in the item relating to section 3553 in the table of
sections, by striking ``and the Secretary'' and inserting ``,
the Secretary, and the Director of the National Institute of
Standards and Technology'';
(2) in the section heading for section 3553, by striking
``and the Secretary'' and inserting ``, the Secretary, and the
Director of the National Institute of Standards and
Technology'';
(3) in section 3553(e), as so redesignated by subsection
(a)(1) of this section, by striking ``subsection (c)'' and
inserting ``subsection (d)'';
(4) in section 3553(i)(1)(B), as so redesignated by
subsection (a)(1) of this section--
(A) by striking ``subsection (d)'' and inserting
``subsection (e)''; and
(B) by striking ``subsection (e)'' and inserting
``subsection (f)'';
(5) in section 3554(a)(1)(B)(v), by striking ``section
3553(h)'' and inserting ``section 3553(i)''; and
(6) in section 3555(g)(1), by striking ``section 3553(c)''
and inserting ``section 3553(d)''.
SEC. 4. AGENCY HEADS.
Section 2(d) of the Federal Information Security Modernization Act
of 2014 (44 U.S.C. 3553 note) is amended--
(1) in paragraph (1)--
(A) in subparagraph (A)--
(i) in the matter before clause (i), by
inserting ``head'' after ``affected agency'';
and
(ii) in clause (ii)(IV), by inserting
``head'' after ``when the agency''; and
(B) in subparagraph (B)--
(i) by inserting ``head of the'' after
``notice by the''; and
(ii) by striking ``agency discovers'' and
inserting ``agency head discovers'';
(2) in paragraph (3)(A)(ii), by striking ``section
3553(c)'' and inserting ``section 3553(d)''; and
(3) in paragraph (4), by inserting ``the National Institute
of Standards and Technology and'' after ``such notice to''.
SEC. 5. FEDERAL AGENCY HEAD RESPONSIBILITIES.
Section 3554 of title 44, United States Code, is amended--
(1) in subsection (a)(3)(A)--
(A) by striking ``designating a senior agency
information security officer'' and inserting
``collaborating with the agency head to designate a
Chief Information Security Officer'';
(B) by redesignating clauses (i) through (iv) as
clauses (ii) through (v), respectively;
(C) by inserting before clause (ii), as so
redesignated, the following new clause:
``(i) have the job description and
responsibilities that shall be provided in
guidance issued by the Director, developed in
consultation with the Director of the National
Institute of Standards and Technology and the
Secretary, within 6 months after the date of
enactment of the Cybersecurity Responsibility
and Accountability Act of 2016;'';
(D) in clause (iv), as so redesignated, by striking
``and'' at the end;
(E) in clause (v), as so redesignated, by inserting
``and'' after the semicolon at the end; and
(F) by adding at the end the following new clause:
``(vi) be designated without increasing the
number of full-time equivalent employee
positions at the agency;'';
(2) in subsection (b)--
(A) by redesignating paragraphs (5) through (8) as
paragraphs (6) through (9), respectively; and
(B) by inserting after paragraph (4) the following
new paragraph:
``(5) mandatory annual information security training and
certification designed specifically for the agency head,
developed and updated as necessary by the National Institute of
Standards and Technology, the purpose of which shall be to
ensure that the agency head has an understanding of Federal
cybersecurity policy, including an understanding of--
``(A) the information and information systems that
support the operations and assets of the agency, using
nontechnical terms as much as possible;
``(B) the potential impact of common types of
cyber-attacks and data breaches on the agency's
operations and assets;
``(C) how cyber-attacks and data breaches occur;
``(D) steps the agency head and agency employees
should take to protect their information and
information systems, including not using private
messaging system software or private e-mail servers for
official communications; and
``(E) the annual reporting requirements required of
the agency head under subsection (c), including the
certifications required under subsection
(c)(1)(A)(iv);'';
(3) in subsection (c)--
(A) in paragraph (1)(A)--
(i) by striking ``Each agency'' and
inserting ``The head of each agency'';
(ii) by inserting ``the Director of the
National Institute of Standards and
Technology,'' after ``the Director, the
Secretary,'';
(iii) by inserting ``, Space, and
Technology'' after ``the Committee on
Science'';
(iv) by striking ``and'' at the end of
clause (iii)(II);
(v) by redesignating clause (iv) as clause
(v); and
(vi) by inserting after clause (iii) the
following new clause:
``(iv) specific written certification by
the agency head that--
``(I) certifies that information
security standards developed under
section 20 of the National Institute of
Standards and Technology Act (15 U.S.C.
278g-3) are being met by the agency;
``(II) identifies the security
controls in place at the agency and how
they each meet the relevant information
security standard;
``(III) may be based on or informed
by the assessment described in section
3553(d)(4); and
``(IV) for any information security
standard that the agency does not meet,
provides the reasons therefor and
includes documentation of the
Director's certification of the agency
not meeting the standard; and''; and
(B) in paragraph (2), by striking ``Each agency''
and inserting ``The head of each agency'';
(4) in subsection (d), by striking ``each agency'' and
inserting ``the head of each agency'';
(5) by redesignating subsection (e) as subsection (f);
(6) by inserting after subsection (d) the following new
subsection:
``(e) Plans for Implementation of Recommendations.--
``(1) Comptroller general recommendations.--
``(A) In general.--In addition to the requirements
of subsections (c) and (d), each agency head shall, not
later than 6 months after the date of enactment of the
Cybersecurity Responsibility and Accountability Act of
2016, develop a plan, in consultation with the
Comptroller General, to implement all of the
Comptroller General's recommendations regarding
information security controls relevant to that agency.
``(B) Plan.--The plan required under subparagraph
(A)--
``(i) shall be submitted to the agencies
and committees described in subsection
(c)(1)(A);
``(ii) shall include a schedule for
implementation of the Comptroller General's
recommendations, including a completion
deadline;
``(iii) shall be updated annually, and such
annual updates shall be included in the annual
report described in subsection (c)(1)(A); and
``(iv) may, as appropriate, be based on or
informed by recommendations included in the
evaluation and report described in section
3555(h).
``(C) If no recommendations.--If the Comptroller
General does not have any relevant recommendations for
an agency head to implement relative to information
security controls, then the agency head shall
accordingly notify the agencies and committees
described in subsection (c)(1)(A).
``(D) Reasons for failure to implement.--If there
are any Comptroller General recommendations that an
agency head does not implement, the agency head shall
provide the reasons for that failure to the Director
for the Director's approval. For each unimplemented
recommendation, the plan shall include either the
Director's approval or a certification by the Director
of the agency head's failure to implement such
recommendation.
``(2) Inspector general recommendations.--
``(A) In general.--In addition to the requirements
of subsections (c) and (d), each agency head shall, not
later than 6 months after the date of enactment of the
Cybersecurity Responsibility and Accountability Act of
2016, develop a plan, in consultation with its
Inspector General, to implement all of the Inspector
General's recommendations regarding the agency's
information security program.
``(B) Plan.--The plan required under subparagraph
(A)--
``(i) shall be submitted to the agencies
and committees described in subsection
(c)(1)(A);
``(ii) shall include a schedule for
implementation of the Inspector General's
recommendations, including a completion
deadline;
``(iii) shall be updated annually, and such
annual updates shall be included in the annual
report described in subsection (c)(1)(A); and
``(iv) may, as appropriate, be based on or
informed by recommendations included in--
``(I) the evaluation described in
section 3555(b)(1); or
``(II) if the agency does not have
an Inspector General, the evaluation
described in section 3555(b)(2).
``(C) If no recommendations.--If the Inspector
General does not have any relevant information security
control recommendations for the agency head to
implement, then the agency head shall accordingly
notify the agencies and committees described in
subsection (c)(1)(A).
``(D) Reasons for failure to implement.--If there
are any Inspector General recommendations that the
agency head does not implement, the agency head shall
provide the reasons for that failure to the Director
for the Director's approval. For each unimplemented
recommendation, the plan shall include either the
Director's approval or a certification by the Director
of the agency head's failure to implement such
recommendation.''; and
(7) in subsection (f), as so redesignated, by striking
``Each agency'' and inserting ``The head of each agency''.
SEC. 6. ANNUAL INDEPENDENT EVALUATION.
Section 3555 of title 44, United States Code, is amended--
(1) in subsection (a)(1), by inserting ``head'' after
``each agency'';
(2) in subsection (b)(1), by inserting ``and evaluations
required by section 3555a'' after ``required by this section'';
(3) in subsection (c), by striking ``that portion of the
evaluation required by this section'' and inserting ``the
portions of evaluations required by this section or section
3555a'';
(4) in subsection (e)(2), by inserting ``or section 3555a''
after ``required under this section'';
(5) in subsection (f), by striking ``Agencies'' and
inserting ``In carrying out this section and section 3555a,
agencies'';
(6) in subsection (g)(3), by inserting ``under this section
or section 3555a'' after ``Evaluations'';
(7) in subsection (i)--
(A) by striking ``the head of an agency'' and
inserting ``an agency head'';
(B) by striking ``head of an agency'' and inserting
``agency head''; and
(C) by inserting ``or section 3555a'' after ``under
this section''; and
(8) in subsection (j), by inserting ``the Director of the
National Institute of Standards and Technology,'' after ``with
the Secretary,''.
SEC. 7. MAJOR CYBERSECURITY INCIDENT INDEPENDENT EVALUATIONS.
(a) Amendment.--Subchapter II of chapter 35 of title 44, United
States Code, is amended by inserting after section 3555 the following
new section:
``Sec. 3555a. Major cybersecurity incident independent evaluations
``(a) Requirement.--Each time an agency experiences a major
cybersecurity incident, the agency head shall have performed an
independent evaluation of such incident.
``(b) Inclusions.--An evaluation of a major cybersecurity incident
under this section shall be transmitted by the agency head to the
agencies and committees described in section 3554(c)(1)(A), and shall
include--
``(1) a description of each major cybersecurity incident
including--
``(A) threats and threat actors, vulnerabilities,
and impacts, including whether the incident involved
information that is classified, controlled unclassified
information proprietary, controlled unclassified
information privacy, or controlled unclassified
information other, as these terms are defined in Office
of Management and Budget Memorandum M-16-03, dated
October 30, 2015, or any successor document;
``(B) risk assessments conducted on the system
before the incident;
``(C) the status of compliance of the affected
information system with information security
requirements at the time of the incident, including--
``(i) information security control
recommendations made by the agency's Inspector
General that are part of the plan described in
section 3554(e)(2);
``(ii) information security control
recommendations made by the Comptroller General
that are part of the plan described in section
3554(e)(1); and
``(iii) National Institute of Standards and
Technology information security standards that
are part of the agency head's certification
described in section 3554(c)(1)(A)(iv);
``(D) the detection, response, and remediation
actions the agency has completed; and
``(E) recommendations for research, process, and
policy actions the agency should consider taking in
response to the incident and to help prevent future
incidents of a similar nature; and
``(2) for each major cybersecurity incident involving a
breach of personally identifiable information--
``(A) the number of individuals whose information
was affected by the incident and a description of the
information that was breached or exposed;
``(B) an assessment of the risk of harm to affected
individuals; and
``(C) details of whether and when the agency
provided notice to affected individuals about the data
breach, including what protections were offered by the
breached agency.
``(c) Enforcement.--
``(1) In general.--If an evaluation of a major
cybersecurity incident described in subsection (a) determines
that the major cybersecurity incident occurred in part or in
whole because the agency head had failed to comply sufficiently
with the information security requirements, recommendations, or
standards described in subsection (b)(1)(C), the Director
shall, within 60 days of receiving the evaluation, take action
under paragraph (2).
``(2) Enforcement actions.--Enforcement actions the
Director may take under this subsection are--
``(A) actions described in section 11303(b)(5) of
title 40, United States Code; and
``(B) either--
``(i) recommending to the President the
removal or demotion of the agency head; or
``(ii) action to ensure the agency head
does not receive any cash or pay awards or
bonuses for a period of 1 year after submission
of the explanation required under paragraph
(3).
``(3) Explanation.--The Director shall provide a detailed
explanation for enforcement actions taken under paragraph (2),
or for a decision not to act, to the committees described in
section 3554(c)(1)(A).''.
(b) Table of Sections Amendment.--The table of sections for such
subchapter is amended by inserting after the item relating to section
3555 the following new item:
``3555a. Major cybersecurity incident independent evaluations.''.
<all>
Introduced in House
Introduced in House
Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Oversight and Government Reform, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Committee Consideration and Mark-up Session Held.
Ordered to be Reported by Voice Vote.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line