Sec. 201. Coordination of Federal information security policy
4,150 words·~19 min read·
/bill/113/hr/1468/ih/section-201A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting the following: The purposes of this subchapter are— to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets; to recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management of policies, directives, standards, and guidelines, as well as effective and nimble oversight of and response to information security risks, including coordination of information security efforts throughout the Federal civilian, national security, and law enforcement communities; to provide for development and maintenance of controls required to protect agency information and information systems and contribute to the overall improvement of agency information security posture; to provide for the development of tools and methods to assess and respond to real-time situational risk for Federal information system operations and assets; and to provide a mechanism for improving agency information security programs through continuous monitoring of agency information systems and streamlined reporting requirements rather than overly prescriptive manual reporting.
In this subchapter: The term adequate security means security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction, or modification of information. The term agency has the meaning given the term in section 3502 of title 44. The term cybersecurity center means the Department of Defense Cyber Crime Center, the Intelligence Community Incident Response Center, the United States Cyber Command Joint Operations Center, the National Cyber Investigative Joint Task Force, the National Security Agency/Central Security Service Threat Operations Center, the National Cybersecurity and Communications Integration Center, and any successor center.
The term cyber threat information means information that indicates or describes— a technical or operation vulnerability or a cyber threat mitigation measure; an action or operation to mitigate a cyber threat; malicious reconnaissance, including anomalous patterns of network activity that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat; a method of defeating a technical control; a method of defeating an operational control; network activity or protocols known to be associated with a malicious cyber actor or that signify malicious cyber intent; a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to inadvertently enable the defeat of a technical or operational control; any other attribute of a cybersecurity threat or cyber defense information that would foster situational awareness of the United States cybersecurity posture, if disclosure of such attribute or information is not otherwise prohibited by law; the actual or potential harm caused by a cyber incident, including information exfiltrated when it is necessary in order to identify or describe a cybersecurity threat; or any combination of subparagraphs
(A)through (I). The term Director means the Director of the Office of Management and Budget unless otherwise specified. The term environment of operation means the information system and environment in which those systems operate, including changing threats, vulnerabilities, technologies, and missions and business practices. The term Federal information system means an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. The term incident means an occurrence that— actually or imminently jeopardizes the integrity, confidentiality, or availability of an information system or the information that system controls, processes, stores, or transmits; or constitutes a violation of law or an imminent threat of violation of a law, a security policy, a security procedure, or an acceptable use policy. The term information resources has the meaning given the term in section 3502 of title 44. The term information security means protecting information and information systems from disruption or unauthorized access, use, disclosure, modification, or destruction in order to provide— integrity, by guarding against improper information modification or destruction, including by ensuring information nonrepudiation and authenticity; confidentiality, by preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; or availability, by ensuring timely and reliable access to and use of information. The term information system has the meaning given the term in section 3502 of title 44. The term information technology has the meaning given the term in section 11101 of title 40. The term malicious reconnaissance means a method for actively probing or passively monitoring an information system for the purpose of discerning technical vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat. The term national security system means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency— the function, operation, or use of which— involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Subparagraph (A)(i)(V) does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). The term operational control means a security control for an information system that primarily is implemented and executed by people. The term person has the meaning given the term in section 3502 of title 44. The term Secretary means the Secretary of Commerce unless otherwise specified. The term security control means the management, operational, and technical controls, including safeguards or countermeasures, prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. The term significant cyber incident means a cyber incident resulting in, or an attempted cyber incident that, if successful, would have resulted in— the exfiltration from a Federal information system of data that is essential to the operation of the Federal information system; or an incident in which an operational or technical control essential to the security or operation of a Federal information system was defeated. The term technical control means a hardware or software restriction on, or audit of, access or use of an information system or information that is stored on, processed by, or transiting an information system that is intended to ensure the confidentiality, integrity, or availability of that system. The Secretary, in consultation with the Secretary of Homeland Security, shall— issue compulsory and binding policies and directives governing agency information security operations, and require implementation of such policies and directives, including— policies and directives consistent with the standards and guidelines promulgated under section 11331 of title 40 to identify and provide information security protections prioritized and commensurate with the risk and impact resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of— information collected or maintained by or on behalf of an agency; or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; minimum operational requirements for the Federal Government to protect agency information systems and provide common situational awareness across all agency information systems; reporting requirements, consistent with relevant law, regarding information security incidents and cyber threat information; requirements for agencywide information security programs; performance requirements and metrics for the security of agency information systems; training requirements to ensure that agencies are able to fully and timely comply with the policies and directives issued by the Secretary under this subchapter; training requirements regarding privacy, civil rights, and civil liberties, and information oversight for agency information security personnel; requirements for the annual reports to the Secretary under section 3554(d); any other information security operations or information security requirements as determined by the Secretary in coordination with relevant agency heads; and coordinating the development of standards and guidelines under section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ) with agencies and offices operating or exercising control of national security systems (including the National Security Agency) to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems; review the agencywide information security programs under section 3554; and designate an individual or an entity at each cybersecurity center, among other responsibilities— to receive reports and information about information security incidents, cyber threat information, and deterioration of security control affecting agency information systems; and to act on or share the information under subparagraph
(A)in accordance with this subchapter. When issuing policies and directives under subsection (a), the Secretary shall consider any applicable standards or guidelines developed by the National Institute of Standards and Technology under section 11331 of title 40. The authorities of the Secretary under this section shall not apply to national security systems. Information security policies, directives, standards and guidelines for national security systems shall be overseen as directed by the President and, in accordance with that direction, carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems. Nothing in this subchapter shall be construed to alter or amend any law regarding the authority of any head of an agency over such agency. The head of each agency shall— be responsible for— complying with the policies and directives issued under section 3553; providing information security protections commensurate with the risk resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— information collected or maintained by the agency or by a contractor of an agency or other organization on behalf of an agency; and information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; complying with the requirements of this subchapter, including— information security standards and guidelines promulgated under section 11331 of title 40; for any national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued as directed by the President; and for any non-national security systems operated or controlled by that agency, information security policies, directives, standards and guidelines issued under section 3553; ensuring that information security management processes are integrated with agency strategic and operational planning processes; reporting and sharing, for an agency operating or exercising control of a national security system, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for national security systems issued as directed by the President; and reporting and sharing, for those agencies operating or exercising control of non-national security systems, information about information security incidents, cyber threat information, and deterioration of security controls to the individual or entity designated at each cybersecurity center and to other appropriate entities consistent with policies and directives for non-national security systems as prescribed under section 3553(a), including information to assist the entity designated under section 3555(a) with the ongoing security analysis under section 3555; ensure that each senior agency official provides information security for the information and information systems that support the operations and assets under the senior agency official's control, including by— assessing the risk and impact that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information or information systems; determining the level of information security appropriate to protect such information and information systems in accordance with policies and directives issued under section 3553(a), and standards and guidelines promulgated under section 11331 of title 40 for information security classifications and related requirements; implementing policies, procedures, and capabilities to reduce risks to an acceptable level in a cost-effective manner; actively monitoring the effective implementation of information security controls and techniques; and reporting information about information security incidents, cyber threat information, and deterioration of security controls in a timely and adequate manner to the entity designated under section 3553(a)(3) in accordance with paragraph (1); assess and maintain the resiliency of information technology systems critical to agency mission and operations; designate the agency Inspector General (or an independent entity selected in consultation with the Director and the Council of Inspectors General on Integrity and Efficiency if the agency does not have an Inspector General) to conduct the annual independent evaluation required under section 3556, and allow the agency Inspector General to contract with an independent entity to perform such evaluation; delegate to the Chief Information Officer or equivalent (or to a senior agency official who reports to the Chief Information Officer or equivalent)— the authority and primary responsibility to implement an agencywide information security program; and the authority to provide information security for the information collected and maintained by the agency (or by a contractor, other agency, or other source on behalf of the agency) and for the information systems that support the operations, assets, and mission of the agency (including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency); delegate to the appropriate agency official (who is responsible for a particular agency system or subsystem) the responsibility to ensure and enforce compliance with all requirements of the agency’s agencywide information security program in coordination with the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5); ensure that an agency has trained personnel who have obtained any necessary security clearances to permit them to assist the agency in complying with this subchapter; ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph (5), in coordination with other senior agency officials, reports to the agency head on the effectiveness of the agencywide information security program, including the progress of any remedial actions; and ensure that the Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under paragraph
(5)has the necessary qualifications to administer the functions described in this subchapter and has information security duties as a primary duty of that official. Each Chief Information Officer or equivalent (or the senior agency official who reports to the Chief Information Officer or equivalent) under subsection (a)(5) shall— establish and maintain an enterprise security operations capability that on a continuous basis— detects, reports, contains, mitigates, and responds to information security incidents that impair adequate security of the agency’s information or information system in a timely manner and in accordance with the policies and directives under section 3553; and reports any information security incident under subparagraph
(A)to the entity designated under section 3555; develop, maintain, and oversee an agencywide information security program; develop, maintain, and oversee information security policies, procedures, and control techniques to address applicable requirements, including requirements under section 3553 of this title and section 11331 of title 40; and train and oversee the agency personnel who have significant responsibility for information security with respect to that responsibility. Each agencywide information security program under subsection (b)(2) shall include— relevant security risk assessments, including technical assessments and others related to the acquisition process; security testing commensurate with risk and impact; mitigation of deterioration of security controls commensurate with risk and impact; risk-based continuous monitoring and threat assessment of the operational status and security of agency information systems to enable evaluation of the effectiveness of and compliance with information security policies, procedures, and practices, including a relevant and appropriate selection of security controls of information systems identified in the inventory under section 3505(c); operation of appropriate technical capabilities in order to detect, mitigate, report, and respond to information security incidents, cyber threat information, and deterioration of security controls in a manner that is consistent with the policies and directives under section 3553, including— mitigating risks associated with such information security incidents; notifying and consulting with the entity designated under section 3555; and notifying and consulting with, as appropriate— law enforcement and the relevant Office of the Inspector General; and any other entity, in accordance with law and as directed by the President; a process to ensure that remedial action is taken to address any deficiencies in the information security policies, procedures, and practices of the agency; and a plan and procedures to ensure the continuity of operations for information systems that support the operations and assets of the agency. Each agencywide information security program under subsection (b)(2) shall include the development and maintenance of a risk management strategy for information security. The risk management strategy shall include— consideration of information security incidents, cyber threat information, and deterioration of security controls; and consideration of the consequences that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, including any information system provided or managed by a contractor, other agency, or other source on behalf of the agency. Each agencywide information security program under subsection (b)(2) shall include policies and procedures that— are based on the risk management strategy under paragraph (2); reduce information security risks to an acceptable level in a cost-effective manner; ensure that cost-effective and adequate information security is addressed as part of the acquisition and ongoing management of each agency information system; and ensure compliance with— this subchapter; and any other applicable requirements. Each agencywide information security program under subsection (b)(2) shall include information security, privacy, civil rights, civil liberties, and information oversight training that meets any applicable requirements under section 3553. The training shall inform each information security personnel that has access to agency information systems (including contractors and other users of information systems that support the operations and assets of the agency) of— the information security risks associated with the information security personnel's activities; and the individual's responsibility to comply with the agency policies and procedures that reduce the risks under subparagraph (A). Each agency shall submit a report annually to the Secretary of Homeland Security on its agencywide information security program and information systems. The Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, shall designate an entity to implement ongoing security analysis concerning agency information systems— based on cyber threat information; based on agency information system and environment of operation changes, including— an ongoing evaluation of the information system security controls; and the security state, risk level, and environment of operation of an agency information system, including— a change in risk level due to a new cyber threat; a change resulting from a new technology; a change resulting from the agency's mission; and a change resulting from the business practice; and using automated processes to the maximum extent possible— to increase information system security; to reduce paper-based reporting requirements; and to maintain timely and actionable knowledge of the state of the information system security. The National Institute of Standards and Technology may promulgate standards, in coordination with the Secretary of Homeland Security, to assist an agency with its duties under this section. The head of each appropriate department and agency shall be responsible for ensuring compliance and implementing necessary procedures to comply with this section. The head of each appropriate department and agency, in consultation with the Director of the Office of Management and Budget and the Secretary of Homeland Security, shall— monitor compliance under this section; develop a timeline and implement for the department or agency— adoption of any technology, system, or method that facilitates continuous monitoring and threat assessments of an agency information system; adoption or updating of any technology, system, or method that prevents, detects, or remediates a significant cyber incident to a Federal information system of the department or agency that has impeded, or is reasonably likely to impede, the performance of a critical mission of the department or agency; and adoption of any technology, system, or method that satisfies a requirement under this section. The authorities of the Director of the Office of Management and Budget and of the Secretary of Homeland Security under this section shall not apply to national security systems. Not later than 6 months after the date of enactment of the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2013 , the Government Accountability Office shall issue a report evaluating each agency's status toward implementing this section. The Council of the Inspectors General on Integrity and Efficiency, in consultation with the Director and the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense, shall issue and maintain criteria for the timely, cost-effective, risk-based, and independent evaluation of each agencywide information security program (and practices) to determine the effectiveness of the agencywide information security program (and practices). The criteria shall include measures to assess any conflicts of interest in the performance of the evaluation and whether the agencywide information security program includes appropriate safeguards against disclosure of information where such disclosure may adversely affect information security. Each agency shall perform an annual independent evaluation of its agencywide information security program (and practices) in accordance with the criteria under subsection (a). Not later than 30 days after receiving an independent evaluation under subsection (b), each agency head shall transmit a copy of the independent evaluation to the Secretary of Homeland Security, the Secretary of Commerce, and the Secretary of Defense. Evaluations involving national security systems shall be conducted as directed by President. The head of each agency operating or exercising control of a national security system shall be responsible for ensuring that the agency— provides information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information contained in such system; and implements information security policies and practices as required by standards and guidelines for national security systems, issued in accordance with law and as directed by the President. . Policy and compliance guidance issued by the Director before the date of enactment of this Act under section 3543(a)(1) of title 44, United States Code (as in effect on the day before the date of enactment of this Act), shall continue in effect, according to its terms, until modified, terminated, superseded, or repealed pursuant to section 3553(a)(1) of title 44, United States Code. Standards and guidelines issued by the Secretary of Commerce or by the Director before the date of enactment of this Act under section 11331(a)(1) of title 40, United States Code, (as in effect on the day before the date of enactment of this Act) shall continue in effect, according to their terms, until modified, terminated, superseded, or repealed pursuant to section 11331(a)(1) of title 40, United States Code, as amended by this Act. The chapter analysis for chapter 35 of title 44, United States Code, is amended— by striking the items relating to sections 3531 through 3538; by striking the items relating to sections 3541 through 3549; and by inserting the following: 3551. Purposes. 3552. Definitions. 3553. Federal information security authority and coordination. 3554. Agency responsibilities. 3555. Multiagency ongoing threat assessment. 3556. Independent evaluations. 3557. National security systems. . Section 1001(c)(1)(A) of the Homeland Security Act of 2002 ( 6 U.S.C. 511(1)(A) ) is amended by striking section 3532(3) and inserting section 3552 . Section 2222(j)(5) of title 10, United States Code, is amended by striking section 3542(b)(2) and inserting section 3552 . Section 2223(c)(3) of title 10, United States Code, is amended, by striking section 3542(b)(2) and inserting section 3552 . Section 2315 of title 10, United States Code, is amended by striking section 3542(b)(2) and inserting section 3552 . Section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ) is amended— in subsection (a)(2), by striking section 3532(b)(2) and inserting section 3552 ; in subsection (c)(3), by striking Director of the Office of Management and Budget and inserting Secretary of Commerce ; in subsection (d)(1), by striking Director of the Office of Management and Budget and inserting Secretary of Commerce ; in subsection (d)(8) by striking Director of the Office of Management and Budget and inserting Secretary of Commerce ; in subsection (d)(8), by striking submitted to the Director and inserting submitted to the Secretary ; in subsection (e)(2), by striking section 3532(1) of such title and inserting section 3552 of title 44 ; and in subsection (e)(5), by striking section 3532(b)(2) of such title and inserting section 3552 of title 44 . Section 8(d)(1) of the Cyber Security Research and Development Act ( 15 U.S.C. 7406(d)(1) ) is amended by striking section 3534(b) and inserting section 3554(b)(2) .
Connectionstraces to 2
1 reference not yet in our index
- 15 USC 278g–3
Citation graph
cites case law
Cites 3Cited by 0 across 0 sources