Sec. 406. Federal computer security
568 words·~3 min read·
/bill/114/s/754/es/section-406A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term covered system shall mean a national security system as defined in section 11103 of title 40, United States Code, or a Federal computer system that provides access to personally identifiable information. The term covered agency means an agency that operates a covered system. The term logical access control means a process of granting or denying specific requests to obtain and use information and related information processing services. The term multi-factor logical access controls means a set of not less than 2 of the following logical access controls:
Information that is known to the user, such as a password or personal identification number. An access device that is provided to the user, such as a cryptographic identification device or token. A unique biometric characteristic of the user. The term privileged user means a user who, by virtue of function or seniority, has been allocated powers within a covered system, which are significantly greater than those available to the majority of users. Not later than 240 days after the date of enactment of this Act, the Inspector General of each covered agency shall submit to the appropriate committees of jurisdiction in the Senate and the House of Representatives a report, which shall include information collected from the covered agency for the contents described in paragraph
(2)regarding the Federal computer systems of the covered agency. The report submitted by each Inspector General of a covered agency under paragraph
(1)shall include, with respect to the covered agency, the following: A description of the logical access standards used by the covered agency to access a covered system, including— in aggregate, a list and description of logical access controls used to access such a covered system; and whether the covered agency is using multi-factor logical access controls to access such a covered system. A description of the logical access controls used by the covered agency to govern access to covered systems by privileged users. If the covered agency does not use logical access controls or multi-factor logical access controls to access a covered system, a description of the reasons for not using such logical access controls or multi-factor logical access controls. A description of the following data security management practices used by the covered agency: The policies and procedures followed to conduct inventories of the software present on the covered systems of the covered agency and the licenses associated with such software. What capabilities the covered agency utilizes to monitor and detect exfiltration and other threats, including— data loss prevention capabilities; or digital rights management capabilities. A description of how the covered agency is using the capabilities described in clause (ii). If the covered agency is not utilizing capabilities described in clause (ii), a description of the reasons for not utilizing such capabilities. A description of the policies and procedures of the covered agency with respect to ensuring that entities, including contractors, that provide services to the covered agency are implementing the data security management practices described in subparagraph (D). The reports required under this subsection may be based in whole or in part on an audit, evaluation, or report relating to programs or practices of the covered agency, and may be submitted as part of another report, including the report required under section 3555 of title 44, United States Code. Reports submitted under this subsection shall be in unclassified form, but may include a classified annex.